forked from fedi/mastodon
6e736f2452
also including some refactoring: - add `// @ts-check` - use Map to completely avoid prototype pollution - assign random id to each iframe for reduce chance to brute-force attack, and leak of iframe counts - check iframe.contentWindow and MessageEvent.source to validate message is coming from correct iframe (it works on latest Chrome/Firefox/Safari but I'm not sure this is allowed by spec) follow-up of #17420 fix #18299 |
||
---|---|---|
.. | ||
avatars/original | ||
emoji | ||
headers/original | ||
ocr/lang-data | ||
shortcuts | ||
sounds | ||
500.html | ||
android-chrome-192x192.png | ||
apple-touch-icon.png | ||
badge.png | ||
browserconfig.xml | ||
embed.js | ||
favicon-dev.ico | ||
favicon.ico | ||
inert.css | ||
mask-icon.svg | ||
mstile-150x150.png | ||
oops.gif | ||
oops.png | ||
robots.txt | ||
sw.js | ||
web-push-icon_expand.png | ||
web-push-icon_favourite.png | ||
web-push-icon_reblog.png |