change iframe injection method in noscript

paulirish · Mar 3, 2024 · 8333444 · 8333444
1 parent eeadc83
commit 8333444
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/lite-yt-embed.js b/src/lite-yt-embed.js
@@ -43,6 +43,9 @@ class LiteYTEmbed extends HTMLElement {
             playBtnLabelEl.textContent = this.playLabel;
             playBtnEl.append(playBtnLabelEl);
         }
+        if(this.hasAttribute('addnoscript')) {
+        this.addNoScriptIframe();
+        }
         playBtnEl.removeAttribute('href');
 
         // On hover (or tap), warm up the TCP connections we're (likely) about to use.
@@ -144,6 +147,21 @@ class LiteYTEmbed extends HTMLElement {
         });
     }
 
+    addNoScriptIframe() {
+        const params = new URLSearchParams(this.getAttribute('params') || []);
+        const noscriptEl = document.createElement('noscript');
+        const iframeEl = document.createElement('iframe');
+        iframeEl.width = 560;
+        iframeEl.height = 315;
+        iframeEl.allow = 'encrypted-media;';
+        iframeEl.allowFullscreen = true;
+        // AFAIK, the encoding here isn't necessary for XSS, but we'll do it only because this is a URL
+        // https://stackoverflow.com/q/64959723/89484
+        iframeEl.src = `https://www.youtube-nocookie.com/embed/${encodeURIComponent(this.videoId)}?${params.toString()}`;
+        noscriptEl.innerHTML = iframeEl.outerHTML;
+        this.append(noscriptEl);
+    }
+
     async addIframe(){
         if (this.classList.contains('lyt-activated')) return;
         this.classList.add('lyt-activated');