While in the process of rolling out comment embeds, we'd like to have restrict
our beta a bit - because by their nature, once embeds are out, we lose control
over them, making it extremely difficult to make changes. So we're restricting
the embed generation modal to a certain subset of users (for now), but a savvy
user could simply modify an existing public embed to plug in another comment
id, which would defeat the point of restricting it. Enter hmac.
We know generate a unique token for each comment, and only by using the
appropriate token will your embed work. This will be transparent to users, as
its just another piece of the html that they copy and paste onto their website.
Performance-wise, we're generating tokens for every comment that can be
embedded. However, for now that's a limited set, and the operation is pretty
fast (roughly 5ms for 1000 tokens on my dev VM); if that becomes a problem, we
can easily take this code out after we no longer need the restriction.
`add_sr()` has had, since reddit/reddit@b57dff70, a special-case when the
requested page was on https, where it would ignore whatever domain it would
normally set and use the current one instead. As best as we can tell, this was
to prevent issues with a lack of https support on all reddit domains, eg links
on `https://pay.reddit.com` pointing to `https://www.reddit.com`. This should
no longer be an issue.
Additionally, it has caused problems with the comment embeds, which are served
from `redditmedia.com` but need to have links pointing to `www.reddit.com`.
Now that this special-case doesn't exist, the function should act more
intuitively. And hopefully that doesn't break anything too badly. :p
The request from the comment embed javascript to get the actual embed has been
going through `g.media_domain`. This in turn meant that sometimes (namely,
when the embed was placed on an https page) the link to the comment was also
heading through the media domain. While this works, we'd rather have users go
through the standard `www.reddit.com` domain for brand, caching, and probably
other infrastructure reasons.
At the bottom of the comment embeds is a link to the subreddit from which the
comment was extracted. This link has had an extra domain appended, so we'd end
up with URLs like `http://www.redditmedia.com/www.reddit.com/r/worldnews`.
The problem stemmed from the fact that `get_domain()` returns a protocol-less
URL (`www.reddit.com/r/worldnews`). Thus, `add_sr()` (which it ends up being
passed into) assumes it has been handed a relative URL and appends a domain.
Instead of getting the entire domain, we now just get the subreddit path and
let `add_sr()` handle the domain (and protocol) later.
With multiple embed snippets comes the inclusion of the embed
script multiple times (and therefore multiple execusions of it).
This fixes the race condition that occurs when `init` is run
multiple times before the `<div>` is removed and as a result
multiple iframes for the same embed are included in the page.
Previously this timings snippet assumed that window.r was an
defined and an object. This ensures we don't throw errors as a
result for admin bar timings.
Previously this was looking for a parent <form> and then searching for
the hidden iden input inside that form. siblings() is much more
efficient and removes the dependency on a parent form existing (which it
doesn't, on the create subreddit page)
URLs of the form /user/<name>/m/<multi>+<multi>+<multi>+...
will be converted to an anonymous multi comprised of the
union of all subreddits in the named multis.
If for whatever reason ga fails to call the callback in a
reasonable amount of time (500ms) then fire it off anyway. One
instance where this was biting us was, an addon for firefox
(ghostery) was stubbing out `_gaq.push` with a noop, causing any
functions pushed into it to never be fired.
I forgot how insanely brittle this bit of code is since I last tried
messing with it last year. At some point we might want to look into
deprecating everything but oauth., the lang subdomains, and www. To
hell with `www.ssl.circlejerk.json.reddit.com`.
