We did our homework on the browser security model; content in iframes (with sandboxing attributes) shouldn’t be able to get login cookies/etc from the parent page. This is load-bearing for advertisements not stealing everything, so we do expect browsers to treat weaknesses in this as real security issues and fix them. When post HTML is retrieved through the API, you have to do some assembly to put the iframes in, so third party clients can’t be insecurely surprised by it.
As for whether sandboxed frames can crash the outer page or make the outer page slow, eg by doing into an infinite loop or running out of memory, the story is a bit more complicated (depends on browser, browser heuristics, and amount of system RAM); we decided it’s okay as long as it’s limited to an embed in a post crashing its own post page (as opposed to the front page or a link preview).
We did our homework on the browser security model; content in iframes (with sandboxing attributes) shouldn’t be able to get login cookies/etc from the parent page. This is load-bearing for advertisements not stealing everything, so we do expect browsers to treat weaknesses in this as real security issues and fix them. When post HTML is retrieved through the API, you have to do some assembly to put the iframes in, so third party clients can’t be insecurely surprised by it.
As for whether sandboxed frames can crash the outer page or make the outer page slow, eg by doing into an infinite loop or running out of memory, the story is a bit more complicated (depends on browser, browser heuristics, and amount of system RAM); we decided it’s okay as long as it’s limited to an embed in a post crashing its own post page (as opposed to the front page or a link preview).