You’ve been mentioning clickjacking a lot, and there are some fairly intrusive defenses against it, so I figured I should ask - is Twitch seeing actual evidence of active exploitation of clickjacking on legacy chat?
It seems like something that would be fairly hard to pull off, especially with needing to target a specific moderator / chat pairing.
Popout and embed are separate, and the problem with clickjacking is that it’s mostly invisible to the victim. They might think it’s a fun new browser game they’re playing when in reality they’re spamming malicious links in chat, for example.
Please do domain whitelisting for the embed chat. No moderation features on it absolutely kills my site speedrun.tv – surely there is a pragmatic way to implement moderation without clickjacking. This should be a top priority.
Also, if no white/dark chat is set it should go with what the user has set. Some people like white, some people like dark, and in some cases it is good to let the user decide.
Lastly, what is the point of the massive banner that says “Stream Chat” at the top?
We’ve definitely heard the request for whitelisting, but it’s not something we can do at this time. I will definitely post here on the dev forums if that becomes a possibility.
The theme used is determined solely by the embed parameters, but this is something you could configure if you’re storing session states / persisting preferences for your users!
As for the “Stream Chat” banner, this indicates that the chat embed is showing the stream’s chat, rather than one of the rooms that the broadcaster may have created. Rooms chat is something we’re open to adding support for in the embeds if it’s something folks find valuable.
I hope this helps! Happy to answer any follow-up questions as well.
It is pretty problematic that moderation and whitelisting will not happen.
This basically means the embed is useless for many purposes, and I (and I assume many others) will have to roll my own custom code, all written from scratch.
Maybe it’s time to ditch the iframe embed entirely, and start up a library where we host our own code for interacting with Twitch chat?
I know there’s already TMI.js, but it’s just a basic frame for connecting and reading to chat, and does not display anything, and is missing a lot of features.