Embeded URL Previews

[tecknojock]

Glowing bear for weechat allows for inline url previews. It'd be rather neat if this could be done in quassel-web, though preferable waiting to fetch any data until you expand the preview (Or allowing it to be turned off entirely in the options)

[magne4000]

I already thought a lot about this, and I did not do it (at least for the moment) because:

• There are a lot of security concerns with loading untrusted remote content.
• Previewing could only be achieved for images. "Previewing" a webpage is too dangerous and/or already forbidden by browsers or websites, or it requires a really complex mechanism involving the server part of quassel-webserver that I do not want to complexify.

[tecknojock]

I had a feeling that if it were to happen we'd probably only get image previews, because you're right about those security concerns.

And my comment about not loading images til the preview was activated is rather important for those of us who IRC at work and may be in a couple NSFW chats. Dont want something linked from porn site and then, even if its not loaded, getting flagged and recorded by the firewall.

[magne4000]

https://github.com/glowing-bear/glowing-bear/blob/master/js/plugins.js

[rikai]

Fwiw, as a user, I don't see the security concerns as a reason to not implement this, but rather as a reason for it to be disabled by default, with a warning when enabling it.

Personally, I'm willing to risk the security issues in exchange for the convenience it offers.

[rikai]

There are several implementations of this as an external userscript already that could be used for inspiration.

http://pastebin.com/YwZxbWAn was one posted recently by qws-user-1228 in #quassel and justJanne riffed on that:

<justJanne> my version is at https://cdn.kuschku.de/qws-script/embed.user.js, but you’ll likely want to modify it so it also runs on other domains
<justJanne> (with your :64443 hack, ofc)
<justJanne> it works with images, rich media content, audio, everything
<justJanne> actually, this works so well, I won’t go back to the normal quassel client

Some examples of that can be seen here:

<justJanne> testdata: https://www.youtube.com/watch?v=sWnZkIl374c
<justJanne> testdata #2: https://twitter.com/HPFriedrichCSU/status/769667299129384960
<justJanne> http://i.imgur.com/9qr9MYA.png

[romibi]

For Website Preview one could perhaps use some thirdparty website screenshot database … Like shrinktheweb.com or pagepeeker.com or similiar … (perhaps configurable like searchmachines in browsers) But this is lower priority than embeddable links

[rikai]

That, to me, would be more of a security issue. That lets a third party have screengrabs of whatever links I might be previewing, and I find that more invasive than my IP pinging a server because of a preview.

To me, something that functions similarly to justJanne's solution, disabled by default and with a warning on enabling, perhaps with the option to configure proxying the requests elsewhere if so desired for added security, would be the ideal solution.