Mastodon’s current option for embedding posts (“toots”) on other websites is inefficient, inflexible, and insecure.1 It embeds posts via an iframe element which loads over a megabyte of content and scripts from the Mastodon server. That iframe gives those scripts full control over your webpage.2 You, the embedder, get no control over how the content is rendered on your page. Important content can be cropped out of view, as journalists have complained when trying to embed toots.
