-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathembed.js
66 lines (56 loc) · 2.56 KB
/
embed.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
// NOTE: embed.js is deprecated and only exists for compatibility reasons.
// Please use a direct <iframe> of embed.html instead!
(function() {
'use strict';
// Compatibility: The embed.js <script> tag does not work in some common WYSIWYG website designers.
// Security: The <script> tag full access to the website it is embedded in while an <iframe> is sandboxed. There has also been some known security vulnerabilities that the iframe is immune from.
console.warn('forkphorus: embed.js is deprecated due to compatibility and security concerns and may stop working in the future. Please use a direct <iframe> of embed.html instead! The generator on https://forkphorus.github.io/ has been updated to do this.');
// Get this script's HTML element.
// We'll replace the script element with the frame.
var script = document.currentScript;
// Named elements can override document.currentScript. Because we generate the iframe's source from the
// script's source, blindly using the source from that named element would be a security bug.
if (script.tagName.toUpperCase() !== 'SCRIPT') {
throw new Error('forkphorus: document.currentScript is not a script. This indicates a DOM clobbering attack. Refusing to continue for security.');
}
// Determine the hasUI option to properly size the frame.
var hasUI = true;
var baseWidth = 480;
var baseHeight = 360;
var params = script.src.split('?')[1].split('&');
params.forEach(function(p) {
var parts = p.split('=');
switch (parts[0]) {
case 'ui':
hasUI = parts[1] !== 'false';
break;
case 'w':
baseWidth = +parts[1];
break;
case 'h':
baseHeight = +parts[1];
break;
}
});
var iframe = document.createElement('iframe');
iframe.setAttribute('allowfullscreen', true);
iframe.setAttribute('allowtransparency', true);
// Rewrite embed.js to embed.html
var iframeSrc = new URL(script.src);
if (!iframeSrc.pathname.endsWith('/embed.js')) {
throw new Error('forkphorus: embed script is not named embed.js. Unable to safely generate <iframe> src. Refusing to continue for security.');
}
iframeSrc.pathname = iframeSrc.pathname.replace(/\/embed\.js$/, '/embed.html');
iframe.src = iframeSrc.href;
if (hasUI) {
// include enough for controls and the player border
iframe.width = baseWidth + 2;
iframe.height = baseHeight + 33;
} else {
iframe.width = baseWidth;
iframe.height = baseHeight;
}
iframe.style.border = '0';
iframe.className = 'forkphorus-embed';
script.parentNode.replaceChild(iframe, script);
}());