Dynamically appending enablejsapi=1 to existing YouTube iframes via cloneNode/replaceChild

I am building a custom VTT subtitle engine for a React SPA that syncs text to embedded YouTube videos. To poll getCurrentTime(), I rely on the YouTube IFrame Player API.

The Problem: Because the application is an SPA, the embeds frequently render dynamically via the CMS without the enablejsapi=1 and origin parameters natively attached to the src URL. Without these, the API handshake drops and getCurrentTime() becomes inaccessible.

My Current Workaround: To force the API connection inside my useEffect hook, my script identifies the iframe, clones the node, appends the required parameters, and replaces the element in the DOM using vanilla JavaScript:

// Simplified snippet of my current approach let newSrc = mediaEl.src || ''; if (!newSrc.includes('enablejsapi=1')) { // Append missing parameters newSrc += (newSrc.includes('?') ? '&' : '?') + 'enablejsapi=1&origin=' + encodeURIComponent(window.location.origin); // Clone and replace the node to force the new src const clone = mediaEl.cloneNode(true); if (!clone.id) clone.id = `yt-iframe-${Math.random().toString(36).substr(2, 9)}`; clone.src = newSrc; if (mediaEl.parentNode) { mediaEl.parentNode.replaceChild(clone, mediaEl); } mediaEl = clone; // Update reference for YT.Player initialization } // ... proceed to initialize new window.YT.Player(mediaEl, {...})

My Questions:

React Lifecycle: Is performing vanilla DOM mutation (replaceChild) on an iframe safe inside a React useEffect, or will this cause memory leaks/desyncs when React attempts to unmount the original node?

Security/Browser Flags: Does dynamically cloning and replacing cross-origin iframes like this trigger automated iframe-tampering or security flags in modern browsers?

Best Practice: Is there a cleaner, React-native way to initialize the YT.Player over a standard embed when the source URL lacks the API parameter, without destroying and replacing the node?

(Note: For full context on how this fits into the component lifecycle and polling intervals, the raw source file is here: https://github.com/OpenTuwa/OpenTuwaRe/blob/main/src/components/VttEngine.jsx)