Fix replacing some lazy-loaded widgets #2994
Conversation
|
I tested the Embedly link and the links in #2989. The fix worked for everything except the YouTube player on https://www.vox.com/22362894/which-covid-vaccine-is-better-moderna-vs-pfizer-video Also, while testing non-lazy-loaded widget pages, I noticed we might need to yellowlist |
OK, it's not a lazy load situation, but a YouTube API widget nested inside an iframe. The following patch fixes it but it would be better if we could instead allow surrogate API messages from all first party (according to our MDFP definitions) frames: diff --git a/src/js/contentscripts/utils.js b/src/js/contentscripts/utils.js
index 8607f71a..0cc96e11 100644
--- a/src/js/contentscripts/utils.js
+++ b/src/js/contentscripts/utils.js
@@ -66,7 +66,8 @@ window.FRAME_URL = getFrameUrl();
// investigate implications of third-party scripts in nested frames
// generating pbSurrogateMessage events
if (window.top != window) {
- if (!window.FRAME_URL.startsWith('https://cdn.embedly.com/')) {
+ if (!window.FRAME_URL.startsWith('https://cdn.embedly.com/') &&
+ !window.FRAME_URL.startsWith('https://volume.vox-cdn.com/')) {
return;
}
} |
ghostwords
added
the
widgets
Makes sense! Do we have already have an issue opened for this? |
For messages from top level frames, and from nested frames that are trivially first party (same scheme and host) to the tab.
ghostwords
force-pushed
the
lazy-loaded-widgets
branch
from
9936230
to
ed7bb6a
Compare
If a nested frame is CNAME aliased to a first party hostname, then let's accept widget surrogate messages as that frame was opted into the site's infrastructure by the publisher.
Fixes #2989. Follows up on #2852.
Also fixes replacing Embedly frame loaded (nested) surrogate JS API-powered widgets:
Lazy loaded example that still doesn't work:
Surrogate JS API-powered example that no longer works (unrelated to this PR; a "loading" overlay hides our placeholder):