Closed severak closed 1 year ago
This is header sent by one of these instances that don't want to be included in iframe:
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; script-src 'self' https://tiny.tilde.website 'wasm-unsafe-eval'; font-src 'self' https://tiny.tilde.website; img-src 'self' data: blob: https://tiny.tilde.website https://sbom.tilde.website; style-src 'self' https://tiny.tilde.website 'nonce-OKmA5+kZFXEk29O1FZSAZw=='; media-src 'self' data: https://tiny.tilde.website https://sbom.tilde.website; frame-src 'self' https:; child-src 'self' blob: https://tiny.tilde.website; worker-src 'self' blob: https://tiny.tilde.website; connect-src 'self' blob: data: wss://tiny.tilde.website https://tiny.tilde.website https://sbom.tilde.website; manifest-src 'self' https://tiny.tilde.website; form-action 'self'
see MDN article
I think better approach would be just render these into HTML itself.
I think that's probably a good solution. The HTML content of the post itself is available in the ScoredPost.info
dictionary. @mauforonda has implemented this in a fork. Though, I'd like to keep a similar styling to the current iframe, but something like this is a probably next step.
Closing, as this is an upstream bug.