Greasy Fork

Small bug with embedded

Can you please put an exception for the "embedded" things. // @exclude /(^.(embed)?..(.{2,})\/(embed\/).*$)/

I have encountered problems on some sites such as:

https://www.youtube.com/embed/LwzN_v7GPMs https://embed.mystream.to/rv3yn5meqa9o

// ==UserScript==
// @name          Show Password onMouseOver
// @namespace     http://zoolcar9.lhukie.net/
// @include       *
// @description   Show password when mouseover on password field
// @author        LouCypher
// @license       free
// @version 0.0.1.20140630034959
// ==/UserScript==

function isEmbedded() {
  try {
    return window.top !== window.self;
  } catch (e) {
    return true;
  }
}

!isEmbedded() && window.setTimeout(function () {
  var passFields = document.querySelectorAll("input[type='password']");
  if (!passFields.length) return;
  for (var i = 0; i < passFields.length; i++) {
    passFields[i].addEventListener("mouseover", function () {
      this.type = "text";
    }, false);
    passFields[i].addEventListener("mouseout", function () {
      this.type = "password";
    }, false);
  }
}, 1000)

window.top !== window.self

This might result in an error?

window.top !== window.self

This might result in an error?

If the embedded frame is under another domain, due to cross domain policy, window.top might not be accessible.

might not be accessible

There has to be something more than another domain though

might not be accessible

There has to be something more than another domain though

For your curiosity, here is the answer from Grok3.

---

In browsers, what will cause error in executing window.top !== window.self

---

In a browser environment, the expression window.top !== window.self is used to determine whether the current window is running in an iframe or a similar embedded context. It compares the topmost window (window.top) with the current window (window.self). If they are not the same, it typically means the current window is inside an iframe (or a similar frame-like structure). However, this expression can encounter issues or "errors" under specific conditions due to browser security mechanisms or misconfigurations. Here’s what can cause problems when executing window.top !== window.self:

1. Cross-Origin Restrictions (Same-Origin Policy)

• Cause: If the iframe and the top-level window are on different origins (e.g., different domains, protocols, or ports), the browser’s Same-Origin Policy (SOP) will restrict access to window.top. Attempting to access window.top in such a case will throw a SecurityError.
• Error Example: Uncaught DOMException: Blocked a frame with origin "http://example.com" from accessing a cross-origin frame.
• Scenario:
  • Top window: https://example.com
  • Iframe: https://subdomain.otherdomain.com
  • When the iframe tries to access window.top, the browser blocks it because the origins don’t match.

2. Sandbox Attribute on Iframe

• Cause: If an iframe has the sandbox attribute applied without the allow-top-navigation or allow-same-origin permissions, access to window.top might be restricted or behave unexpectedly.
• Effect: The browser may prevent the iframe from accessing or comparing window.top, potentially resulting in a security exception or undefined-like behavior depending on the sandbox configuration.
• Example: <iframe sandbox="allow-scripts" src="page.html"></iframe> (omitting allow-same-origin or allow-top-navigation).

3. Browser Context Issues

• Cause: In some rare cases, the script might run in a non-standard context where window.top or window.self is not properly defined (e.g., a detached frame, a worker context, or a browser extension’s isolated environment).
• Effect: This could lead to undefined values or a ReferenceError if the properties are inaccessible.
• Scenario: A script running in a Web Worker or a browser popup without a proper window hierarchy.

4. Content Security Policy (CSP)

• Cause: A strict Content Security Policy enforced by the top-level page or the iframe’s source might block scripts from accessing or manipulating the window hierarchy.
• Effect: This could indirectly cause the expression to fail if the script itself is blocked or if frame navigation is restricted.
• Example: A CSP header like frame-ancestors 'none' might prevent proper iframe embedding, leading to unexpected behavior.

5. Mixed Content Restrictions

• Cause: If the top window is served over HTTPS but the iframe is loaded from an HTTP source (mixed content), modern browsers may block the iframe entirely or restrict its access to the parent window.
• Effect: Attempting to evaluate window.top !== window.self in the iframe may result in a security error or failure to load the iframe’s content.
• Scenario:
  • Top window: https://secure-site.com
  • Iframe: http://insecure-site.com

What Normally Happens

• If there’s no iframe (i.e., the page is loaded directly), window.top === window.self returns true, and no error occurs.
• If the page is in an iframe with the same origin, window.top !== window.self evaluates to true without issues.
• Errors or exceptions only arise when security policies or context issues interfere.

How to Debug or Avoid Errors

• Try-Catch Block: Wrap the expression in a try-catch to handle potential SecurityError exceptions: javascript try { const isInIframe = window.top !== window.self; console.log("In iframe:", isInIframe); } catch (e) { console.error("Error accessing window.top:", e); }
• Check Access: Verify whether window.top is accessible before comparing: javascript let isInIframe = false; try { isInIframe = window.top.location !== window.self.location; } catch (e) { isInIframe = true; // Assume iframe if access is blocked }

In summary, the primary cause of an "error" with window.top !== window.self is a cross-origin restriction due to the Same-Origin Policy. Other factors like sandboxing, CSP, or mixed content can also interfere, depending on the browser and page configuration.

---

In short, window.top !== window.self throws error means it is inside an embedded frame.

Trust me, this is my experience. I faced such issue once before.

I always do try catch if it can be in another domain.

Thank you for your response