Fix replacing some lazy-loaded widgets

[ghostwords]

Fixes #2989. Follows up on #2852.

Also fixes replacing Embedly frame loaded (nested) surrogate JS API-powered widgets:

• https://www.mediapart.fr/journal/france/290321/affaire-myriam-sakhri-la-famille-espere-une-reouverture-de-l-enquete (YouTube)
• https://medium.com/@samuelwestwood/time-saving-things-that-actually-work-trust-me-28461a6f4a41

Lazy loaded example that still doesn't work:

• https://kotaku.com/peach-is-a-monster-in-smash-ultimate-pros-say-1831613178

Surrogate JS API-powered example that no longer works (unrelated to this PR; a "loading" overlay hides our placeholder):

• https://www.aljazeera.com/program/talk-to-al-jazeera/2022/9/16/iran-raisi-no-benefit-in-direct-nuclear-negotiations-with-us

[lenacohen]

I tested the Embedly link and the links in https://github.com/EFForg/privacybadger/issues/2989. The fix worked for everything except the YouTube player on https://www.vox.com/22362894/which-covid-vaccine-is-better-moderna-vs-pfizer-video

Also, while testing non-lazy-loaded widget pages, I noticed we might need to yellowlist sf16-website-login.neutral.ttwstatic.com to get TikTok widget replacements working on certain pages. Ex: https://goatagency.com/blog/influencer-marketing/super-bowl-ads/

[ghostwords]

I tested the Embedly link and the links in #2989. The fix worked for everything except the YouTube player on https://www.vox.com/22362894/which-covid-vaccine-is-better-moderna-vs-pfizer-video

OK, it's not a lazy load situation, but a YouTube API widget nested inside an iframe. The following patch fixes it but it would be better if we could instead allow surrogate API messages from all first party (according to our MDFP definitions) frames:

diff --git a/src/js/contentscripts/utils.js b/src/js/contentscripts/utils.js
index 8607f71a..0cc96e11 100644
--- a/src/js/contentscripts/utils.js
+++ b/src/js/contentscripts/utils.js
@@ -66,7 +66,8 @@ window.FRAME_URL = getFrameUrl();
 // investigate implications of third-party scripts in nested frames
 // generating pbSurrogateMessage events
 if (window.top != window) {
-  if (!window.FRAME_URL.startsWith('https://cdn.embedly.com/')) {
+  if (!window.FRAME_URL.startsWith('https://cdn.embedly.com/') &&
+    !window.FRAME_URL.startsWith('https://volume.vox-cdn.com/')) {
     return;
   }
 }

[lenacohen]

I tested the Embedly link and the links in #2989. The fix worked for everything except the YouTube player on https://www.vox.com/22362894/which-covid-vaccine-is-better-moderna-vs-pfizer-video

OK, it's not a lazy load situation, but a YouTube API widget nested inside an iframe. The following patch fixes it but it would be better if we could instead allow surrogate API messages from all first party (according to our MDFP definitions) frames:

...

Makes sense! Do we have already have an issue opened for this?