Zack Hobson

Embedding Mastodon posts with a web native component Sunday September 3, 2023

This is the source code for the embed widget that (hopefully) appears at the top of this post. Here is how it's being used in this page:

<script async="async" src="/static/js/embed-post.js"></script>

As you can see, there isn't much to it. After my last post, where I learned about native web components, I started to wonder how hard it would be to use this technique to build a widget for embedding Mastodon posts. This is something I've never done before, but it wasn't that hard to figure out, so I wrote about the process. There are helpful links throughout, mostly to MDN, because that's my favorite reference. Since I already went into technical detail about web components in the last post, I will skip over many of those details here.

Figuring it out

First off, let's try adding .json to the end of the post URL and loading that in the browser. Sure enough, that displays a JSON representation of the post! Could it be that simple? Sadly, attempting to fetch that URL from within this page using fetch() fails with a CORS error. That makes sense: CORS is a safeguard to prevent web apps from making unauthorized requests on behalf of the user, and this interface isn't meant to be available to an outside web application. This seems like a dead end.

After an unsuccessful web search, I ended up poking around in the Mastodon code. Here we can find the code describing CORS behavior for Mastodon, and noticed that the /api path is excepted from CORS, indicating that it is for external use! It turns out there is an endpoint under this path that Mastodon provides explicitly for this purpose: /api/oembed. This is a pretty roundabout way to figure that out, but it didn't take long.

With this knowledge, we can fetch something related to the post, given the URL:

const hostname = new URL(postUrl).host
const resp = await fetch(`https://${hostname}/api/oembed?url=${postUrl}`)
const embed = await resp.json()

What we get is a response specifically for embedding, which contains a snippet of HTML. This snippet declares an <iframe> pointing at the original post, and loads some JavaScript. It looks something like this:

<script src="" async="async"></script>

It's rarely a great idea to accept raw HTML and insert into your UI, there are serious security implications! For a service under my control, with my own post, this seems like something that can be done safely. Given that, we are just going to shovel it into the innerHTML of the component.

this.#content.innerHTML = embed.html

That works! At this point the post is visible through an awkwardly sized viewport on the page. The docs for /api/oembed explain how to specify the size of the embedded frame, so as long as our styles match those sizes, our embed should fit perfectly. The optional attributes data-maxwidth and data-maxheight are used to configure the styles and the API call.

Wrapping it up

By this point the bulk of core functionality exists, but there is still some polishing to do. User-provided maxheight and maxwidth values are applied using CSS variables in inline styles. I added a little "loading" message that's visible until the fetch completes and the embed is visible.

The code for this component makes use of some JavaScript features that the last one did not, like static and private members. This is mostly because I haven't really written much JavaScript lately and I am unused to our age of evergreen browsers, where I can use a more modern JS dialect without issue.