Firefox was returning a height of 0 when an iframe was hidden.
This was causing unnecessary reflows when toggling between the
options for comment embeds. There doesn't seem to be a good
reason to broadcast a 0 height up to the parent window, so
i've added a guard for that.
Safari respects `X-Frame-Options` on 304s, causing embeds to break
if `c.allow_framing` is not set before we return a 304. This splits
embed prepping into two stages so that we can set `c.allow_framing`
before we check modified headers.
When constucting urls to 3rd party cnames, for example,
"thecutelist.com" -> /r/aww, this forces the removal of the
`sr_path`. This was unintentionally affecting pages served by
the `media_domain`, eg. comment & live embeds.
Similar to `can_save`, `can_embed` controls the visibility of the
embed button. This needs to be apart of the `Comment` or else
the rendercache will use the wrong version on heavily cached
comments.
While in the process of rolling out comment embeds, we'd like to have restrict
our beta a bit - because by their nature, once embeds are out, we lose control
over them, making it extremely difficult to make changes. So we're restricting
the embed generation modal to a certain subset of users (for now), but a savvy
user could simply modify an existing public embed to plug in another comment
id, which would defeat the point of restricting it. Enter hmac.
We know generate a unique token for each comment, and only by using the
appropriate token will your embed work. This will be transparent to users, as
its just another piece of the html that they copy and paste onto their website.
Performance-wise, we're generating tokens for every comment that can be
embedded. However, for now that's a limited set, and the operation is pretty
fast (roughly 5ms for 1000 tokens on my dev VM); if that becomes a problem, we
can easily take this code out after we no longer need the restriction.
`add_sr()` has had, since reddit/reddit@b57dff70, a special-case when the
requested page was on https, where it would ignore whatever domain it would
normally set and use the current one instead. As best as we can tell, this was
to prevent issues with a lack of https support on all reddit domains, eg links
on `https://pay.reddit.com` pointing to `https://www.reddit.com`. This should
no longer be an issue.
Additionally, it has caused problems with the comment embeds, which are served
from `redditmedia.com` but need to have links pointing to `www.reddit.com`.
Now that this special-case doesn't exist, the function should act more
intuitively. And hopefully that doesn't break anything too badly. :p
The request from the comment embed javascript to get the actual embed has been
going through `g.media_domain`. This in turn meant that sometimes (namely,
when the embed was placed on an https page) the link to the comment was also
heading through the media domain. While this works, we'd rather have users go
through the standard `www.reddit.com` domain for brand, caching, and probably
other infrastructure reasons.
At the bottom of the comment embeds is a link to the subreddit from which the
comment was extracted. This link has had an extra domain appended, so we'd end
up with URLs like `http://www.redditmedia.com/www.reddit.com/r/worldnews`.
The problem stemmed from the fact that `get_domain()` returns a protocol-less
URL (`www.reddit.com/r/worldnews`). Thus, `add_sr()` (which it ends up being
passed into) assumes it has been handed a relative URL and appends a domain.
Instead of getting the entire domain, we now just get the subreddit path and
let `add_sr()` handle the domain (and protocol) later.
With multiple embed snippets comes the inclusion of the embed
script multiple times (and therefore multiple execusions of it).
This fixes the race condition that occurs when `init` is run
multiple times before the `<div>` is removed and as a result
multiple iframes for the same embed are included in the page.
Previously this timings snippet assumed that window.r was an
defined and an object. This ensures we don't throw errors as a
result for admin bar timings.
