search

diaspora / diaspora

A privacy-aware, distributed, open source social network.
https://diasporafoundation.org/
GNU Affero General Public License v3.0
13.37k stars 2.92k forks source link

Allow oembed for peertube instances #7792

Open paskalito opened 6 years ago

paskalito commented 6 years ago

so that videos like this for example https://peertube.video/videos/watch/da2b08d4-a242-4170-b32a-4ec8cbdca701 would be displayed within diaspora.

peertube is a decentral video hosting platform https://joinpeertube.org

Flaburgan commented 6 years ago

We already thought about that and it is not trivial. The main blocker point is, as peertube is decentralized, we cannot easily whitelist the urls allowed to be embedded. And to allow any URL to execute external javascript would be a major security flaw. @Chocobozzz as you know webtorrent better than us, is there a way to embed video without JS? Possibly only with <video> element? I guess not but eh, asking doesn't harm. Did you already think about embedding of peertube video? How do you think we can solve this problem?

Chocobozzz commented 6 years ago

And to allow any URL to execute external javascript would be a major security flaw.

You could put the embed in an iframe with some security attributes. That's what Mastodon does.

is there a way to embed video without JS? Possibly only with

Yes you could, but we don't really want people do this because we would loose the P2P aspect of PeerTube.

paskalito commented 6 years ago

how about an easy streamlined process to get URL's whitelistet?

gegeweb commented 6 years ago

I'have whitelisted my own Peertube pod on my Diaspora* pod. It's easy by editing config/oembed_providers.yml.

peertube:
  endpoint: "https://peertube.gegeweb.eu/services/oembed"
  urls:
    - https://peertube.gegeweb.eu/videos/watch/*

So, it woud be probably easy to get a list of known peertube pods and update the whitelist with this list. "On the fly", it would be nice.

But there is a bug when displaying/embeding the vidéo.

Before playing :

capture

After starting to watch the video :

capture2

Don't know if it is an issue with Diaspora* or Peertube.

gegeweb commented 6 years ago

Here is the json returned by https://peertube.gegeweb.eu/services/oembed?url=https://peertube.gegeweb.eu/videos/watch/90e451da-a47c-452b-bd49-80268c3c9e4c

{
    "type":"video",
    "version":"1.0",
    "html":"<iframe width=\"560\" height=\"315\" sandbox=\"allow-same-origin allow-scripts\" src=\"https://peertube.gegeweb.eu/videos/embed/90e451da-a47c-452b-bd49-80268c3c9e4c\" frameborder=\"0\" allowfullscreen></iframe>",
    "width":560,
    "height":315,
    "title":"Deep Sea Gypsies – You Should Know (official music video)",
    "author_name":"Gérald Niel",
    "provider_name":"PeerTube",
    "provider_url":"https://peertube.gegeweb.eu",
    "thumbnail_url":"https://peertube.gegeweb.eu/static/previews/90e451da-a47c-452b-bd49-80268c3c9e4c.jpg",
    "thumbnail_width":560,
    "thumbnail_height":315
}

But, thumbnail is not displayed before playing video, and the height of the iframe is very small (18px instead of 315px it would be) when starting to play.

Is there something to change on the Peertube side (json)? But it seems correct : https://oembed.com/#section5

DeadSuperHero commented 5 years ago

You could put the embed in an iframe with some security attributes. That's what Mastodon does.

Incidentally, this works very well on Mastodon's end.