commit c7e967b6d8882d67a326a7b3ae7048cbdd69b84e
parent c1981b6476c94224a6068825a17bc1733735618e
Author: Emma Zuehlcke <emz@mozilla.com>
Date: Mon, 5 Jan 2026 13:01:42 +0000
Bug 2007302, r=webcompat-reviewers,bvandersloot,twisniewski
Differential Revision: https://phabricator.services.mozilla.com/D277442
Diffstat:
2 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/browser/extensions/webcompat/manifest.json b/browser/extensions/webcompat/manifest.json
@@ -2,7 +2,7 @@
"manifest_version": 2,
"name": "Web Compatibility Interventions",
"description": "Urgent post-release fixes for web compatibility.",
- "version": "148.3.0",
+ "version": "148.4.0",
"browser_specific_settings": {
"gecko": {
"id": "webcompat@mozilla.org",
diff --git a/browser/extensions/webcompat/shims/disqus-embed.js b/browser/extensions/webcompat/shims/disqus-embed.js
@@ -8,11 +8,33 @@ if (!window.smartblockDisqusShimInitialized) {
// Guard against this script running multiple times
window.smartblockDisqusShimInitialized = true;
+ /**
+ * Finds a Disqus embed script URL in the document. Validates that
+ * the URL matches https://*.disqus.com/embed.js format.
+ *
+ * @returns {string|undefined} The script URL if found, undefined otherwise.
+ */
+ function getDisqusEmbedScriptURL() {
+ for (const script of document.querySelectorAll("script[src]")) {
+ try {
+ const url = new URL(script.src);
+ if (
+ url.protocol === "https:" &&
+ url.hostname.endsWith(".disqus.com") &&
+ url.pathname === "/embed.js"
+ ) {
+ return url.href;
+ }
+ } catch {
+ // Invalid URL, skip
+ }
+ }
+ return undefined;
+ }
+
// Get the script URL from the page. We can't hardcode it because the
// subdomain is site specific.
- let scriptURL = document.querySelector(
- 'script[src*=".disqus.com/embed.js"]'
- )?.src;
+ const scriptURL = getDisqusEmbedScriptURL();
if (scriptURL) {
embedHelperLib.initEmbedShim({
shimId: "DisqusEmbed",
