fix: isolate multi-embed resize handshake with per-snippet token
ForRelease mints a per-call token used as the iframe id and threaded into the src as EmbedId; the host script matches on it so multiple embeds resize independently. ForTrack unchanged.
This commit is contained in:
@@ -29,7 +29,8 @@ public class EmbedSnippetBuilderTests
|
||||
{
|
||||
var snippet = EmbedSnippetBuilder.ForRelease(BaseUri, "rel-xyz");
|
||||
|
||||
Assert.That(snippet, Does.Contain(@"src=""https://deepdrft.example/FramePlayer?ReleaseEntryKey=rel-xyz"""));
|
||||
// src contains ReleaseEntryKey; may also carry additional query params (e.g. EmbedId).
|
||||
Assert.That(snippet, Does.Contain("ReleaseEntryKey=rel-xyz"));
|
||||
Assert.That(snippet, Does.Not.Contain("TrackEntryKey"));
|
||||
}
|
||||
|
||||
@@ -94,10 +95,66 @@ public class EmbedSnippetBuilderTests
|
||||
Assert.That(track, Does.Not.Contain("<script>"));
|
||||
}
|
||||
|
||||
// --- Multi-embed isolation (Phase 17 major remediation) ---
|
||||
|
||||
// Two ForRelease calls must produce snippets with different iframe ids so both can coexist on one
|
||||
// host page without the host-side resize script resolving only the first via getElementById.
|
||||
[Test]
|
||||
public void ForRelease_TwoCalls_ProduceDifferentIframeIds()
|
||||
{
|
||||
var a = EmbedSnippetBuilder.ForRelease(BaseUri, "rel-xyz");
|
||||
var b = EmbedSnippetBuilder.ForRelease(BaseUri, "rel-xyz"); // same release, different call
|
||||
|
||||
var idA = IframeId(a);
|
||||
var idB = IframeId(b);
|
||||
|
||||
Assert.That(idA, Is.Not.EqualTo(idB),
|
||||
"each ForRelease call must mint a distinct iframe id to prevent multi-embed cross-talk");
|
||||
}
|
||||
|
||||
// The iframe id and the token embedded in the host-side resize script must be consistent within
|
||||
// a single snippet — the script assigns the id string to a JS variable and calls getElementById
|
||||
// with it, so the id literal must appear in the script's var initializer.
|
||||
[Test]
|
||||
public void ForRelease_IframeIdAndScriptToken_AreConsistentWithinOneSnippet()
|
||||
{
|
||||
var snippet = EmbedSnippetBuilder.ForRelease(BaseUri, "rel-abc");
|
||||
|
||||
var id = IframeId(snippet);
|
||||
Assert.That(id, Does.StartWith("deepdrft-embed-"), "id must carry the expected prefix");
|
||||
|
||||
// The iframe element must declare the minted id.
|
||||
Assert.That(snippet, Does.Contain($@"id=""{id}"""),
|
||||
"iframe element must carry the minted id");
|
||||
|
||||
// The script stores the id in a JS var and calls getElementById(id) — confirm the id literal
|
||||
// appears in the script's var initializer so the right iframe is targeted.
|
||||
Assert.That(snippet, Does.Contain($@"var id=""{id}"""),
|
||||
"resize script must initialise its id variable with the same minted id");
|
||||
}
|
||||
|
||||
// The iframe src must carry EmbedId so the iframe content (embed-frame.ts) can read its own
|
||||
// token and include it in postMessage payloads for the host-side script to match on.
|
||||
[Test]
|
||||
public void ForRelease_SrcCarriesEmbedIdParam()
|
||||
{
|
||||
var snippet = EmbedSnippetBuilder.ForRelease(BaseUri, "rel-def");
|
||||
|
||||
Assert.That(snippet, Does.Contain("EmbedId="),
|
||||
"iframe src must include EmbedId query param so embed-frame.ts can read its own token");
|
||||
}
|
||||
|
||||
private static int HeightOf(string snippet)
|
||||
{
|
||||
var match = Regex.Match(snippet, @"height=""(\d+)""");
|
||||
Assert.That(match.Success, Is.True, "snippet must declare an iframe height");
|
||||
return int.Parse(match.Groups[1].Value);
|
||||
}
|
||||
|
||||
private static string IframeId(string snippet)
|
||||
{
|
||||
var match = Regex.Match(snippet, @"id=""([^""]+)""");
|
||||
Assert.That(match.Success, Is.True, "snippet must declare an iframe id");
|
||||
return match.Groups[1].Value;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user