Robin BerjonIf you're running a news site and you embed tweets, I hope you realise that Elon Musk, a famously petulant man-child who openly hates independent reporting, has direct and hard to detect control over the entire pages that have embeds, including hitting your backend as your users?
Filip Stanis@robin how can an embedded tweet hit your backend? Wouldn't it be stopped by same origin policy?
@fstanis Take the tweet below, which is embedded using the code that Twitter provides to produce the embed. Now look at the code: it embeds script from Twitter directly in the embedding page.
That script runs in the embedding page context, it can do *everything* that your own scripts can do.
@robin wow I wasn't aware of this, thought it was just an iframe or so. Thanks for explaining.
@fstanis Sure thing! Script injection is also how most advertising and marketing systems are built. Needless to say, this is insanely dangerous :)
Daniel Schildt@robin @fstanis While there are 3rd party examples of how to sandbox those widgets, it's kind of a disaster how insecure the default embedded approach is.
Another problem is that Twitter's terms of service forbids news organisations from copy-pasting the tweet contents (because of copyright issues). At least that is how it used to be previously, and likely that is the reason many use embedded tweets.