Hello,

When I visit this post https://ani.social/post/2611163 my browser downloads a random file called “master.m3u8”

I’m running firefox 115.8.0esr with the darkly-red theme for lemmy.

With this option enabled “Auto expand media”.

The offending line appears to be the following: <iframe class="post-metadata-iframe" allowfullscreen="true" src="https://prod.vodvideo.cbsnews.com/cbsnews/vr/hls/2024/03/11/2317151299662/2750480_hls/master.m3u8" title="House Democrats try to force floor vote on foreign aid for Ukraine, Israel, Taiwan"></iframe>

From a security perspective, using a iframe to anything posted seems dubious?

  • hitagi@ani.socialM
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    That’s strange. It happens to me on Chromium too. Other instances don’t seem to be affected by this. I’ll look into it over the weekend. Thanks for letting us know.

    • hitagi@ani.socialM
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      5 months ago

      Thanks for letting me know. I’ll have a look again today. I made changes when we migrated so that might be the cause.

      edit: It looks like this is an issue in 0.19.4 for servers that disable external image cache. lemmy.cafe (0.19.4) has this issue but mander.xyz (0.19.3) does not. I’ll see what I can do.

      editedit: HOPEFULLY its fixed now(?) I disabled iframes. Lemmy is weird. Sometimes it wants to load the iframe. Sometimes it doesn’t. I don’t really understand what’s going on to be honest.

  • zabadoh@ani.social
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    8 months ago

    Hi, I’m the OP for that post.

    I tried to change the link to a non-amp link to see if that would help, but Lemmy isn’t letting me save it.

    Let me try turning off auto-expand to see if it lets me update.

    edit: Nope, I can’t change to a non-amp link, even with auto-expand turned off