Replacements for the Widgets extension

From Miraheze Developers Wiki

Following the permanent removal of the Widgets extension due to a security vulnerability, and the potential for future risk, here are some viable replacement options:

Extensions: the EmbedVideo, TimedMediaHandler, Video, or YouTube extensions may be viable replacements.


JavaScript:

$( '#discord-widget' ).html( '<iframe src="https://discord.com/widget?id={SERVER_ID}&theme=dark" width="{WIDTH}" height="{HEIGHT}" allowtransparency="true" frameborder="0" sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>' );

HTML:

<div id="discord-widget"></div>
  • Add the JavaScript to either MediaWiki:{Skin}.js, or MediaWiki:Common.js
  • Add the HTML to any wiki page or template you wish to display the embedded IFrame.

Note: If the URL you are attempting to frame is blocked by the Miraheze content security policy, it will not work. The current URLs that will work (as of 2021-09-9) are listed below:

script-src:
  - "self"
  - "unsafe-inline"
  - "unsafe-eval"
  - *.miraheze.org
  - *.wikimedia.org
  - *.wikipedia.org
  - *.wikibooks.org
  - *.wiktionary.org
  - *.wikiquote.org
  - *.wikisource.org
  - *.wikiversity.org
  - *.wikinews.org
  - *.wikivoyage.org
  - mediawiki.org
  - wikidata.org
  - www.gstatic.com
  - s7.addthis.com
  - www.google.com
  - www.recaptcha.net
  - platform.twitter.com
  - js-wiki-cdn.reviservices.com
  - wikiplus-app.com
  - cdnjs.cloudflare.com
  - cdn.jsdelivr.net
  - cdn.syndication.twimg.com
  - scratchblocks.github.io
  - openlayers.org

style-src:
  - "self"
  - data:
  - "unsafe-inline"
  - *.miraheze.org
  - *.wikimedia.org
  - *.wikipedia.org
  - *.wikibooks.org
  - *.wiktionary.org
  - *.wikiquote.org
  - *.wikisource.org
  - *.wikiversity.org
  - *.wikinews.org
  - *.wikivoyage.org
  - mediawiki.org
  - wikidata.org
  - www.gstatic.com
  - fonts.googleapis.com
  - cdn.jsdelivr.net
  - platform.twitter.com
  - ton.twimg.com

img-src:
  - "self"
  - data:
  - *.miraheze.org
  - upload.wikimedia.org
  - maps.google.com
  - www.gstatic.com
  - maxcdn.bootstrapcdn.com
  - *.twimg.com
  - i.imgur.com
  - image.tmdb.org
  - *.googleusercontent.com
  - *.fontawesome.com
  - *.dropboxstatic.com
  - *.redd.it
  - *.redditmedia.com
  - mirrors.creativecommons.org
  - www.gnu.org
  - live.staticflikr.com
  - cdn.pixabay.com
  - cdn.geogebra.org
  - scratchblocks.github.io
  - docs.blender.org
  - *.imgbox.com
  - www.mikrodev.com
  - *.tile.openstreetmap.org
  - cdn.discordapp.com
  - na.llnet.sims3storee.cdn.ea.com
  - *.fastly.net
  - minotar.net
  - img.shields.io
  - mc-uc.netease.com
  - db.onlinewebfonts.com
  - openlayers.org
  - discordapp.com
  - imgbb.com
  - postimages.org
  - platform.twitter.com
  - syndication.twitter.com

font-src:
  - "self"
  - data:
  - *.miraheze.org
  - fonts.gstatic.com

media-src:
  - "self"
  - blob:
  - *.miraheze.org
  - upload.wikimedia.org
  - embed.nicovideo.jp
  - *.youtube.com
  - *.youtube-nocookie.com
  - player.twitch.tv
  - clips.twitch.tv
  - player.vimeo.com

frame-src:
  - "self"
  - www.google.com
  - www.recaptcha.net
  - web.libera.chat
  - snap.berkeley.edu
  - *.youtube-nocookie.com
  - player.twitch.tv
  - platform.twitter.com
  - discord.com
  - discordapp.com
  - embed.nicovideo.jp
  - syndication.twitter.com

edit list