Async JS doesn't block either - and cross-domain scripting rules are strict enough that it is pretty safe. The iframe code has an async Google Analytics script in it - perhaps that is the reason for the iframe (to use google analytics for tracking usage).
Curious what you mean about cross-domain scripting rules and safety. Normally, loading a third-party script via a script tag lets that script do anything the page can do, which makes it decidedly unsafe.
You're correct - it can do just about anything. Technically it can't make ajax calls back to a domain other than where the page was served from - but you could get around that by just inserting more javascript tags.
iFrames do offer a little more security here - but in this case I would still go for just script since I don't see that the downsides outweigh the added security. (you can still do a whole ton of damage from an iframe)
You can deceive the user pretty easily with content that looks like the main page and prompts them to do something you want them to do. (like login to the parent app even though they are logging into your app, anti-phishing stuff won't take effect if you keep it all in the iframe)
You could also just execute whatever JS you want if there is a browser vulnerability you want to take advantage of.
Number of times I've followed up on GitHub related news, anywhere: n + rand(50..100) # => always
Times I've thought that Github is growing sickeningly commercial, that my attempt at best practice and code sharing is equating to (millions of) dollars in their pocket, and that other seemingly like-minded individuals want to capitalize on their successes to achieve notice: At least twice.
At least when Dr. Nic made this widget, it seemed original.
This is a pet project and we gain nothing but experience. We were not aware of any similar projects when starting. In terms of capitalizing, please keep in mind that there are no ads and we do not intend to add any so it will cost us in the contrary when more people start to use this.
