Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-inclusive embedding (in addition to, or replacing, iframe-based embedding) #27626

Open
UppaJung opened this issue Oct 30, 2023 · 0 comments
Open

Content-inclusive embedding (in addition to, or replacing, iframe-based embedding) #27626

UppaJung opened this issue Oct 30, 2023 · 0 comments
Labels
suggestion Feature suggestion

Comments

@UppaJung
Copy link

Pitch

The problems with iframe-based embedding

Whereas most social media generates embeds that includes the text content of a post, Mastodon's current option for embedding posts/activity/toots on other websites as a single iframe element linking to a page containing the content, which has three significant shortcomings:

  • incurring an overhead of > 1MB per page load containing an embedded post (slowing page loads and taxing the Mastodon server hosting the embedded content)
  • denying those embedding content the ability to format/style it (whereas federated social media typically allows endpoints to format/reformat shared activities)
  • creating a security hazard as the frame is implemented with both the allow-scripts and allow-same-origin attributes set, removing sandboxing. As a result, **a compromised mastodon server can compromise all web pages that embed content from it.)

When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

Proposal: content-inclusive embedding

Content-inclusive embedding creates HTML elements to embed that include at least the written content of the post. That content can be rendered even if the server is unavailable, can be styled/formatted by the embedder, and gives embedders the choice to capture the post (content and counters) at a moment in time or keep it updated. Updating requires 1% of the network overhead of iframe-based embedding (3k for script + 1 API call).

The Mastodon v1 API already allows third-parties to support this approach, and as you can see from this proof of concept for generating content-inclusive embedding and the blog post accompanying it. However, better to make it first-party with default style sheets that match how the Mastodon team would like embedded content rendered with by default.

Motivation

This change would make it easier for the news media, bloggers, and everyone else to embed content from Mastodon into their websites without risking their security, without taking away their ability to control the layout of their content, and without imposing MB of overhead.
@UppaJung UppaJung added the suggestion Feature suggestion label Oct 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
suggestion Feature suggestion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@UppaJung