Start a new topic

add support for single HTML files as media attachment / upload

hey y’all! I realize this is a big request (with potential security implications?) so I fully understand if this goes nowhere but I think it would be super cool and I was inspired by the awesome audio upload announcement today to just go ahead and at least ask :) I would love love love it if I could attach a single HTML file as a media attachment the way you currently can attach images and audio. this would allow me to post bitsy games directly in posts, and would also enable twine stories and decker projects, etc. I imagine it would work a bit like on where there is a play button you have to press before the content of the iframe loads (also I know also supports whole zip files for html games but that seems like overkill for a site like cohost that isn’t a game hosting platform, which is why I’m limiting this request to single standalone HTML files, but I am open to changing my mind)

23 people like this idea

I wholeheartedly endorse this idea. I've made several tools that can emit games and interactive media as standalone .HTML files (both Decker as noted above and Octo).

Being able to pop this sort of creation inside an iframe on cohost without hosting it separately would make it tremendously more convenient to share projects, especially one-off goofy things. You can fit a lot of interactivity in well under the 5mb limit that currently applies for images, and iframes rule out most of the nasty shenanigans that are possible when running untrusted code.

5 people like this

 I'd extremely be all about being able to embed a decker deck directly into a chost! Or like a twine game or similar. I think you'd be able to do lots of cool stuff with this!

4 people like this
Agree. Not sure about the security issues here myself, but it would be awesome to have bitsy, decker, or twine running in cohost! Would have a lot more visibility for games and could have the potential of being really fun.

3 people like this

This would be so cool! I would love to be scrolling on cohost and then suddenly find small games. With the 5 MB file size, you could totally fit something like the original super Mario bros or a final fantasy game. This would be really really cool. The only problem I can see is sandboxing the javascript stuff, but manages to do it so it shouldn't be impossible

3 people like this
as someone who is *also* working on a game engine that can export self contained html files, yes, I also think this feature would be neat

6 people like this
I have been wanting a feature on social network like this forever, being able to post bitsies, pico 8 imbeds, flickguy character creators - I would go wild for this

3 people like this

I would absolutely love this feature, being able to check out html games without needing to go to a separate page from where I find out about them would be a magical experience.

1 person likes this

I...would really rather this never happen. Security is the biggest concern, but even with CSS crimes we have the ability to slow down folks feeds to a crawl and in some cases break their rendering even just by mistake. This...there's just no way to implement this safely and to remove any chance of disrupting things of people just scrolling through their feeds (short of including a toggle to allow users to disable seeing them, and then that kind of removes the point).

As convenient as this is to have in-line, it's really best left to just being linked to on other sites.

Those are valid concerns! I’m not a web security expert so I can’t speak to your first point - I think staff would have to weigh in on that. (For what it’s worth though, John mentioned above that iframes in browsers come with security precautions built in.) I think the feed performance issue is solvable by having to click a play button before the HTML embed loads (I imagine this would work similarly to’s default behavior for browser games). Just as you need to press play for audio posts (no one wants a bunch of auto-playing audio!) you would need to press play for interactive posts. I think this is actually better than CSS crimes, which start automatically by nature of just being part of the post, rather than an attachment. Does this help with your concerns at all?
Only really for the performance side. I still can't get past the numerous probably security concerns with just allowing any and all HTML. Off the top of my head, it could be used to facilitate account takeovers through UI replacement (which is one of the reasons inline CSS is restricted), cause drive-by malware downloads, exploit zero-day security flaws in browsers to cause arbitrary code execution on user machines, and the list goes on. There are reasons they don't just allow this to happen in chosts themselves, and these would probably just be a few. I really can't see a way of managing the risk.
Like I said I’m not a security expert so I can’t say anything with confidence on that topic. I agree it would be important to address though. I wonder how sites like and iframely handle these kinds of issues.
Login or Signup to post a comment