Lemmy is the first platform I've come across that I'm actually excited to use in many years. Being federated and not motivated by profits (with all the tracking and selling of personal information that it entails) makes me feel like I'm not the product.
faboosh
Also worth mentioning, iframes have a sandbox attribute which can be used to lock down which browser APIs it has access to (they can't access much out of the box anyway, but this allows further locking down).
Say you have a webserver rendering the Fumen sequence, you could have the step buttons just be links to the next/previous steps. This would require no JS to run within the iframe, which is a great step to harden security even further.
I just saw the updates regarding encoding it as a video, there isn't a good way to provide a slideshow without at least some JS, which kind of defeats the purpose of compatibility/universality. My take is that the iframe + light JS to mount it is the least headache and the most compatible.
I can't swear on it, but afaik iframes are fully sanboxed.
Just spitballing, but you might not even need to inject much JS on the lemmy side. This sounds like something that could load in an iframe, pointed to a server that can render the Fumen sequence. The injected Lemmy JS could then identify the Fumen sequence, and inject the iframe. Main issue I see with this is mobile users, where you can't really inject code at runtime.
EDIT: Saw that you mentioned using iframes already, I'm seconding that option. I also think it could be neat to use something like code blocks with tags, say !#fumen [insert fumen string here]
omg her eyes!!!
Really nice job so far! If you don't mind me asking, how did you manage to get around CORS? I've started tinkering with the official JS client and ran into issues.
gravity defying sploot
Didn't expect to see brennan referenced here, noice