While it works on Android, it is still impossible to use iframe embeds on web-based mobile iOS apps. The reason being that iOS' WKWebView expects <schema>://<host> in the CORS headers returned by Twitch. Twitch uses the parent parameter to generate those headers. Unfortunately, iOS prevents the use of http://, https:// and file:// as schemas and forces us to use a custom schema like ionic://localhost (or anything else) for accessing local files.

The request is to add the ability for twitch embeds to return a CORS header that can match a custom scheme like ionic://localhost.

I read through all forum topics on that subject but none provides a working solution. Please see the following discussions for an in-depth explanation why the current state of twitch embed cannot work and a suggestion for a solution:

• https://discuss.dev.twitch.tv/t/embedded-player-within-ios-web-based-mobile-app-e-g-ionic-not-working/36227
• https://stackoverflow.com/questions/68105361/twitch-embedded-player-on-ionic-ios-not-working

I've found that affiliates can get donations from you if they do enough. Yesterday I discovered a streamer who during a Minecraft game told in detail pornographic noises and sexual preferences in the live chat, if people in the chat obscenely teased them or you were against it, the sentences in the chat were deleted directly by a moderator.. ...Since it's against the rules for a partnership on Twitch, and the streamer becomes money for dirty content, my idea is that words spoken live such as sex, private parts etc should be heard and muted the same way as when a piece of music is recognized and also a warning should follow. As well as then playing a counselor, where she said that she regularly hurts herself and was in psychiatric care, is not exactly a role model for children and every child can see that without registering!

I reported it immediately and the "Just Chatting" section contained almost only live pornographic posts, you don't have to look for them, they are there immediately, what can you do about it to protect the children and the Twitch brand ?

The DJ community regularly creates multi-DJ events ("Raid Trains") where DJs take turns doing a set for a predetermined amount of time and then raid the next channel on the schedule. These events can last anywhere from a few hours up to several days. Twitch needs a feature where a user could "follow" the raid train and allow them to pop in at any time. Currently, you'd have to know which channel in the raid train is broadcasting at the given hour, search for them and then join. In a 4-day raid train with 90 DJs, this can be a lot to ask of the viewer.

I feel the new CSP fields in the console can be improved.

Right now it states:

Comma-separated list of base URLs from which your Extension can load images (e.g. <img> HTML elements and favicons). These values will be used by the HTTP Content-Security-Policy (CSP) img-src directive

Comma-separated list of base URLs from which your Extension can load additional media (i.e. <audio>, <video>, and <track> HTML elements). These values will be used by the HTTP Content-Security-Policy (CSP) media-src directive.

Comma-separated list of base URLs from which your Extension can load information via scripting interfaces (e.g. API calls, fetch(), XMLHttpRequest, WebSockets). These values will be used by the HTTP Content-Security-Policy (CSP) connect-src directive.

A correctly constructed CSP for a given policy entry doesn't contain commas.

I feel it would be more practical to accept a "standard" CSP into these fields.

So you would specify in the fields a "valid" CSP for connct/img/media source. as per MDN - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Rather than a CSV that is beint intrepreted either by automation or the reviewer.

It would make sense all around that I enter, for image domains for example:

https://www.google-analytics.com/ https://images.igdb.com/ https://static-cdn.jtvnw.net/ https://pbs.twimg.com/

instead of

https://www.google-analytics.com/,https://images.igdb.com/,https://static-cdn.jtvnw.net/,https://pbs.twimg.com/

The latter is not a valid CSP, but the former is.

This makes it easier for developers to correctly specify a https and a wss for socket based operations. And means what is entered into the field is a direct match to what you would test with if you have as test server that provides the files and the CSP headers when in localtest.

Libraries such as helmet both accept a "valid" CSP or an array of entries. So in code:

app.use(twitchextensioncsp({
    clientID: 'ca2np9xlw9bx7vlppwn8ekwz9ws0io',
    enableMobile: true,
    imgSrc: [
        'https://www.google-analytics.com/ https://images.igdb.com/ https://static-cdn.jtvnw.net/ https://pbs.twimg.com/ https://twitch.extensions.barrycarlyon.co.uk/'
    ],

is valid as is

app.use(twitchextensioncsp({
    clientID: 'ca2np9xlw9bx7vlppwn8ekwz9ws0io',
    enableMobile: true,
    imgSrc: [
        'https://www.google-analytics.com/',
        'https://images.igdb.com/',
        'https://static-cdn.jtvnw.net/',
        'https://pbs.twimg.com/',
        'https://twitch.extensions.barrycarlyon.co.uk/'
    ],

The string version is easier to copy and paste from my test server to the entry field in the console. And the string version (without commas is a Valid CSP)

This means less complications by Twitch requiring a Comma Seperated List.

TLDR:

    imgSrc: [
        'https://www.google-analytics.com/ https://images.igdb.com/ https://static-cdn.jtvnw.net/ https://pbs.twimg.com/ https://twitch.extensions.barrycarlyon.co.uk/'
    ],

the above is valid CSP the below (if I direct copied from the console into code) is not.

    imgSrc: [
        'https://www.google-analytics.com/,https://images.igdb.com/,https://static-cdn.jtvnw.net/,https://pbs.twimg.com/,https://twitch.extensions.barrycarlyon.co.uk/'
    ],

So I propose change the CSP fields to accept valid CSP not a CSV.

Or it should be laid out like the oAuth redirect URI's (multiple text fields one URL per field add/remove buttons etc)

Currently, the only API endpoint which can return the current status of the channel is /search/channels, which contains a "is_live" boolean attribute.

So when I want to know if a channel (knowing its ID) is live through the API, the only way is by calling /channels first to get the channel name, then by calling /search/channels with the channel name, and finally sort the results to find the correct channel.

This is excessively time and ressources consuming, for both developpers and Twitch servers (two API call instead of just one). Would be great to add a "is_live" field in /channels endpoint