masto-fe/public/embed.js
rinsuki 6e736f2452
fix: embed.js doesn't expands iframes height (#18301)
also including some refactoring:
- add `// @ts-check`
- use Map to completely avoid prototype pollution
- assign random id to each iframe for reduce chance to brute-force attack, and leak of iframe counts
- check iframe.contentWindow and MessageEvent.source to validate message is coming from correct iframe (it works on latest Chrome/Firefox/Safari but I'm not sure this is allowed by spec)

follow-up of #17420
fix #18299
2022-05-04 03:20:44 +02:00

65 lines
1.6 KiB
JavaScript

// @ts-check
(function() {
'use strict';
/**
* @param {() => void} loaded
*/
var ready = function(loaded) {
if (['interactive', 'complete'].indexOf(document.readyState) !== -1) {
loaded();
} else {
document.addEventListener('DOMContentLoaded', loaded);
}
};
ready(function() {
/** @type {Map<number, HTMLIFrameElement>} */
var iframes = new Map();
window.addEventListener('message', function(e) {
var data = e.data || {};
if (typeof data !== 'object' || data.type !== 'setHeight' || !iframes.has(data.id)) {
return;
}
var iframe = iframes.get(data.id);
if ('source' in e && iframe.contentWindow !== e.source) {
return;
}
iframe.height = data.height;
});
[].forEach.call(document.querySelectorAll('iframe.mastodon-embed'), function(iframe) {
// select unique id for each iframe
var id = 0, failCount = 0, idBuffer = new Uint32Array(1);
while (id === 0 || iframes.has(id)) {
id = crypto.getRandomValues(idBuffer)[0];
failCount++;
if (failCount > 100) {
// give up and assign (easily guessable) unique number if getRandomValues is broken or no luck
id = -(iframes.size + 1);
break;
}
}
iframes.set(id, iframe);
iframe.scrolling = 'no';
iframe.style.overflow = 'hidden';
iframe.onload = function() {
iframe.contentWindow.postMessage({
type: 'setHeight',
id: id,
}, '*');
};
iframe.onload();
});
});
})();