Hello,

When I visit this post https://ani.social/post/2611163 my browser downloads a random file called “master.m3u8”

I’m running firefox 115.8.0esr with the darkly-red theme for lemmy.

With this option enabled “Auto expand media”.

The offending line appears to be the following: <iframe class="post-metadata-iframe" allowfullscreen="true" src="https://prod.vodvideo.cbsnews.com/cbsnews/vr/hls/2024/03/11/2317151299662/2750480_hls/master.m3u8" title="House Democrats try to force floor vote on foreign aid for Ukraine, Israel, Taiwan"></iframe>

From a security perspective, using a iframe to anything posted seems dubious?

  • hitagiMA
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    6 months ago

    Thanks for letting me know. I’ll have a look again today. I made changes when we migrated so that might be the cause.

    edit: It looks like this is an issue in 0.19.4 for servers that disable external image cache. lemmy.cafe (0.19.4) has this issue but mander.xyz (0.19.3) does not. I’ll see what I can do.

    editedit: HOPEFULLY its fixed now(?) I disabled iframes. Lemmy is weird. Sometimes it wants to load the iframe. Sometimes it doesn’t. I don’t really understand what’s going on to be honest.