Sync error when trying to embed private Vimeo video

[jonasfeige]

I ran into an issue with my own Vimeo panel-implementation and learnt about your plugin. It looks really great but it seems to have the same issue as mine in regards to private Vimeo videos:

When trying to embed a private video from Vimeo (hidden from Vimeo but safelisted for a specific domain) the plugin throws a sync error. The video is however embeddable on the front-end as expected, the domains are the same. I therefor assume that the panel gets in the way, somehow blocking the necessary referrer.

Do you have any idea what might be the cause and how to circumvent it?

[tristantbg]

This plugin will never work with private videos as it uses oEmbed directives. Closing this.

[sylvainjule]

@tristantbg I haven't had the case yet but judging from their docs it seems that if we send them the appropriate header the request might be valid?

In this plugin it'd be pretty straightforward to test, here:

$dispatcher = new Embed\Http\CurlDispatcher([
      CURLOPT_REFERER => 'https://domain.com',
      CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.152 Safari/537.36'
]);

If this doesn't work, well, yes I think there'd be no way to get around this.

[sebastiangreger]

@sylvainjule -- @jonasfeige 's post in the Kirby forum got me curious and I did some explorations. This appears to be due to the Kirby Panel's referrer policy. See my assessment here.

I tried it out and when I edit vendor/embed/embed/src/Utils.php to include a specific referrerpolicy attribute for the iframe element, the plugin is sending the site's URL as a referrer (as opposed to not sending any, due to the global policy in the panel's HTML meta):

        return self::element('iframe', [
            'src' => $src,
            'frameborder' => 0,
            'allowTransparency' => 'true',
            'style' => $styles,
            'referrerpolicy' => "strict-origin-when-cross-origin",
        ]).'</iframe>';

That's of course inside vendor, but maybe it can be overridden in your own code somewhere? Awaiting confirmation from somebody with a Vimeo Pro account to verify, but this is likely the reason for this issue.

[jonasfeige]

I can confirm that it is possible to get a private, whitelisted video by setting the referrer header and adding the referrer policy to the iframe, as @sebastiangreger suggests. I have just solved this for my own, very bare-bones plugin in JS. Adding this to yours’, which is far more fleshed out than mine, would be much appreciated, @sylvainjule @tristantbg .

[sylvainjule]

I'd be keen to try and develop something to fix this, but I don't have access to Pro accounts. @tristantbg @jonasfeige do one of you have the ability to share (privately) a Vimeo Pro video link for testing purpose?

[jonasfeige]

Yes, I will send you a link some time during the weekend @sylvainjule .

[tristantbg]

@sebastiangreger @sylvainjule Sorry to have closed this too quickly, I learned something and I should have made some research before acting too quickly ! Looking forward to have this implementation in Kirby Embed.

[moevbiz]

any updates on this one? would love to use the plugin for a current project, let me know if there's anything i can do to help

[sylvainjule]

Took a long time to add but it's now added: you can embed private / specific-domain vimeo videos.