3 | 3 | If the embed is "insulated" in an iframe, all seems good as long as it doesn't touch anything outside the iframe (for example youtube). However when the embed is not insulated, the included JS would affect the editor in unpredictable ways. Don't think this is much of a security concern (we trust the providers). Rather that JS is intended for the front-end and would manipulate the DOM, attach events, etc. outside of the "wrapper" element. For example embedding a tweet appends an `<iframe id="rufous-sandbox" style="display: none;"...` to the editor body. |