Conversation

Notices

1. Embed this notice
   Stefan Bohacek (stefan@stefanbohacek.online)'s status on Sunday, 15-Sep-2024 20:11:16 JST Stefan Bohacek

   So an interesting change is coming to Mastodon embeds.

   Previously, the embed code consisted of an iframe, going forward, this is being switched to a blockquote.

   In either case, the original text of the post is not included and is rather added after the main page the embed is on is loaded.

   https://github.com/mastodon/mastodon/pull/31766

   #mastodon #embeds #fediverse

   • Embed this notice
     qwazix (qwazix@bananachips.club)'s status on Sunday, 15-Sep-2024 20:11:12 JST qwazix

     in reply to

     @stefan now that I think about it, with instances coming and going, this is a security issue. I can go buy a domain of a defunct instance and XSS all sites that ever embedded a post.

     gidi likes this.
   • Embed this notice
     Stefan Bohacek (stefan@stefanbohacek.online)'s status on Sunday, 15-Sep-2024 20:11:13 JST Stefan Bohacek

     in reply to

     For comparison, the previous (and on most Mastodon servers, the current) version looked like this.

   • Embed this notice
     qwazix (qwazix@bananachips.club)'s status on Sunday, 15-Sep-2024 20:11:13 JST qwazix

     in reply to

     @stefan it seems presumptive to my old webdev mind to assume all places that allow embeds will allow external js.

     Also, seriously, do you expect me to backdoor my own site??

     gidi repeated this.
   • Embed this notice
     Stefan Bohacek (stefan@stefanbohacek.online)'s status on Sunday, 15-Sep-2024 20:11:14 JST Stefan Bohacek

     in reply to

     Okay, looking at the new embed code more closely, this is...something else.