- #USING EYEFRAME CONVERTER GENERATOR#
- #USING EYEFRAME CONVERTER UPDATE#
- #USING EYEFRAME CONVERTER CODE#
If you don’t mind all of those downsides, here is how you would go about enforcing SRI on a Twitter embed.
#USING EYEFRAME CONVERTER CODE#
Auditing the code is up to you, as a developer, and if you miss something, there could be catastrophic results (embedded keyloggers, PII stealers, etc.) With SRI, the only guarantee is that the external code has not changed not that it is safe to use.
#USING EYEFRAME CONVERTER UPDATE#
Each time they make an update, you would have to audit the change, then compute a new hash digest and update your embed code.Since the hashes have to exactly match, even them adding a single semicolon will cause the script to start getting blocked.
You can use it by including a “hash digest” when you add and other resource tags to your website, as an integrity attribute. S ub r esource I ntegrity ( SRI) ( MDN Docs) is a security feature baked into several modern browsers, that provides a way to verify (and enforce) that the external resource received from a remote source exactly matches what was requested.
The tool is fairly simple: Plug in the URL of a tweet, hit the “generate” button, and get back IFrame embed code that you can paste into your own website, or forums that accept IFrame embeds. It allows you to plug in the URL of a tweet, and get an IFrame embed code, with configurable options.
#USING EYEFRAME CONVERTER GENERATOR#
I realized that building an Iframe embed generator for Tweets should be fairly easy, and this tool is the result of that goal. I almost always prefer to use IFrames to embed third party content, as they provide a superior level of “sandboxing” and content isolation. Occasionally I have wanted to embed a specific Tweet from Twitter into a post on my website, and have been irked by the fact that the default embed method requires me to add a third-party Javascript embed to my site, which could potentially be used in malicious ways.