Closed 0x0ade closed 6 years ago
Removed a dozen incompatible and outdated providers. Some are even linking to malware due to neglect... Seems like we'll need to maintain our own (trusted) oembed list.
I also fixed a few things, getting f.e. images to show up "natively" if possible.
Attempting to fit it in a minor change before this gets merged: sandboxed jsonp
The main jsonp junk is now loaded into a separate iframe with only the allow-scripts
permission.
I'm sorry if I haven't merged yet :) I'm trying something out before I start breaking shit. Give me a few more hours and I'll merge :)
Lot that screenshot is awful, of all the links I could have shared, it had to be Al paradise.
FUUUUUUUUUUCK, I didn't mean to do that.
Okay, it's alright finally. :) Works well with that I was doing. Good implementation Maik.
I just saw the notifications :D
No need to be sorry about not having merged this PR earlier :) it just gives me more time to polish it (i.e. sandboxed jsonp)
And thanks :)
This PR adds some basic oembed support. Embeds load lazily to prevent anything bad(tm) from happening.
The iframes are sandboxed with the following permissions:
allow-popups allow-scripts allow-same-origin
allow-same-origin
allows accessinglocalStorage
/cookies
, which is required by some providers.The oembed provider list is a reduced set, based on the list from https://github.com/nfl/jquery-oembed-all (MIT-licensed, sourced).
Unfortunately some content providers aren't supported yet, though, as they require some additional processing. This PR should provide a good enough baseline, though.
(At the moment, "Content not supported" is also the generic error message.)