Closed 0x0ade closed 6 years ago
0x0ade
commented
6 years ago Removed a dozen incompatible and outdated providers. Some are even linking to malware due to neglect... Seems like we'll need to maintain our own (trusted) oembed list.
I also fixed a few things, getting f.e. images to show up "natively" if possible.
Attempting to fit it in a minor change before this gets merged: sandboxed jsonp
0x0ade
commented
6 years ago The main jsonp junk is now loaded into a separate iframe with only the allow-scripts permission.
neauoire
commented
6 years ago I'm sorry if I haven't merged yet :) I'm trying something out before I start breaking shit. Give me a few more hours and I'll merge :)
neauoire
commented
6 years ago Lot that screenshot is awful, of all the links I could have shared, it had to be Al paradise.
neauoire
commented
6 years ago FUUUUUUUUUUCK, I didn't mean to do that.
neauoire
commented
6 years ago Okay, it's alright finally. :) Works well with that I was doing. Good implementation Maik.
0x0ade
commented
6 years ago I just saw the notifications :D
No need to be sorry about not having merged this PR earlier :) it just gives me more time to polish it (i.e. sandboxed jsonp)
And thanks :)
This PR adds some basic oembed support. Embeds load lazily to prevent anything bad(tm) from happening.
The iframes are sandboxed with the following permissions:
allow-popups allow-scripts allow-same-originallow-same-originallows accessinglocalStorage/cookies, which is required by some providers.The oembed provider list is a reduced set, based on the list from https://github.com/nfl/jquery-oembed-all (MIT-licensed, sourced).
Unfortunately some content providers aren't supported yet, though, as they require some additional processing. This PR should provide a good enough baseline, though.
(At the moment, "Content not supported" is also the generic error message.)