evazion/translate-pixiv-tags

Script activating in iframes

Closed this issue · 0 comments

BrokenEagle commented

I noticed from the Tampermonkey icon that there was more scripts running on the page than were supposed to be, even when it was the only script running. I then added the following code to the bottom of the Translate Pixiv Tags script to detect what was going on.

console.log("Translate Pixiv Tags: Hi!",window.location.href);

The following was what was output.

Translate Pixiv Tags: Hi! https://twitter.com/watadochinkuru

Translate Pixiv Tags: Hi! https://twitter.com/i/cards/tfw/v1/1098519834835410947?cardname=summary_large_image&autoplay_disabled=true&forward=true&earned=true&edge=true&lang=en&card_height=344&scribe_context=%7B%22client%22%3A%22web%22%2C%22page%22%3A%22profile%22%2C%22section%22%3A%22profile%22%2C%22component%22%3A%22tweet%22%7D&bearer_token=AAAAAAAAAAAAAAAAAAAAAPYXBAAAAAAACLXUNDekMxqa8h%252F40K4moUkGsoc%253DTYfbDKbT3jJPCEVnMYqilB28NHfOPqkca3qaAxGfsyKCs0wRbw#xdm_e=https%3A%2F%2Ftwitter.com&xdm_c=default244&xdm_p=1

Translate Pixiv Tags: Hi! https://twitter.com/i/cards/tfw/v1/1098015082204676096?cardname=summary_large_image&autoplay_disabled=true&forward=true&earned=true&edge=true&lang=en&card_height=344&scribe_context=%7B%22client%22%3A%22web%22%2C%22page%22%3A%22profile%22%2C%22section%22%3A%22profile%22%2C%22component%22%3A%22tweet%22%7D&bearer_token=AAAAAAAAAAAAAAAAAAAAAPYXBAAAAAAACLXUNDekMxqa8h%252F40K4moUkGsoc%253DTYfbDKbT3jJPCEVnMYqilB28NHfOPqkca3qaAxGfsyKCs0wRbw#xdm_e=https%3A%2F%2Ftwitter.com&xdm_c=default245&xdm_p=1

So the script is running in loaded iframes. There are only 2 occurrences in the above example, however more will be loaded each time a new iframe is loaded. This is more than likely due to the very loose matching policy for Twitter.

translate-pixiv-tags/translate-pixiv-tags.user.js

Line 17 in f90318b

// @match *://*.twitter.com/*

This can be fixed by adding an exclusion for the iframe links.

// @exclude      *://twitter.com/i/cards/*

However, this might happen on other sites as well, and adding a whole bunch of exclusions would clutter up the preface. Instead, if you add the following, it will also prevent the script from running in those iframes on Twitter, as well as any other site as well.

// @noframes

https://tampermonkey.net/documentation.php#_noframes