lexi

i like breaking computers

  • it/its, #[deprecated] she/her
  • ./a.out

i like rust, nix, linux, infosec, webdev and i shitpost a lot. ctf player and so-called "security researcher". aroace, agender, nb, nd, disabled, &, ΘΔ :3 🏳️‍⚧️ 🟨⬜️🟪⬛️

picrew: #1322863



You must log in to comment.

in reply to @easrng's post:

we've been talking about this internally since you posted it and (for you and for anyone else using chiframes) @staff wanted to post a semi-official update on how we feel about it:

  • this is extremely clever;
  • we're not gonna ban you or anyone else over it, but if people do evil things with it we may ban them, or block iframely embeds from tumblr as a temporary measure;
  • the parts we like least about it are a) how chiframes redecorates the embed box to hide the embedded URL by default (which is kind of understandable, the embedded URL is pretty gnarly) b) the fact that iframely gets bamboozled into thinking that the third-party content it's showing is from tumblr rather than the "real" iframe;
  • we were always blanket-banning iframes more out of paranoia than anything else (since the browser's security sandbox should still ensure that the content obeys the same-origin rule, etc.) and we might reconsider that in the future in an attempt to provide iframe support that provides better guidance to users about what third-party content they're viewing and doesn't bounce them through an embed of someone's custom tumblr theme.

nothing else to announce right now, though.

It might be a good idea to allow iframes with a hardcoded sandbox attribute to prevent modals and redirecting the top level page and stuff, I can add one to the inner frame on chiframe.tumblr.com too to block that stuff now for people using chiframe.

ohh,, thank you !! iwill mess with this in a bit... right now im messing with trying to get my game unitres dreams working on cohost... its only on itch.io and i dont know how to properly embed newgrounds games so i have to deal with uploading it to itch which is giving me trouble right now...

might it be worth adding a little something for better fallback content (other than a link to the settings page for turning on embeds) so these don't end up outright hiding content from people who'd rather keep embeds off? i did something like that by hand in this post https://cohost.org/lifning/post/4226889-here-s-an-example-of but it probably doesn't have to be anything so elaborate - just a clickable link to the original iframe URL too, next to the one to the settings page, would do wonders