From f30797e7549123f94989e85bdefc1c7f0c0b717e Mon Sep 17 00:00:00 2001 From: Kagami Sascha Rosylight Date: Sat, 11 Mar 2023 22:37:40 +0100 Subject: [PATCH] ignored permissions --- src/general.ts | 17 +++++++++++++---- test/index.ts | 16 ++++++++++++++-- ...=> oembed-allow-safelisted-permissions.json} | 2 +- test/oembed/oembed-ignore-rare-permissions.json | 7 +++++++ 4 files changed, 35 insertions(+), 7 deletions(-) rename test/oembed/{oembed-allow-safelisted-features.json => oembed-allow-safelisted-permissions.json} (62%) create mode 100644 test/oembed/oembed-ignore-rare-permissions.json diff --git a/src/general.ts b/src/general.ts index d335e7a..3a31f77 100644 --- a/src/general.ts +++ b/src/general.ts @@ -84,15 +84,24 @@ async function getOEmbedPlayer($: cheerio.CheerioAPI, pageUrl: string): Promise< // TODO: This implementation only allows basic syntax of `allow`. // Might need to implement better later. - const allowedFeatures = (iframe.attr('allow') ?? '').split(/\s*;\s*/g).filter(s => s); const safeList = [ 'autoplay', 'clipboard-write', 'fullscreen', 'encrypted-media', - 'picture-in-picture' + 'picture-in-picture', + 'web-share', ]; - if (allowedFeatures.some(allow => !safeList.includes(allow))) { + // YouTube has these but they are almost never used. + const ignoredList = [ + 'gyroscope', + 'accelerometer', + ]; + const allowedPermissions = + (iframe.attr('allow') ?? '').split(/\s*;\s*/g) + .filter(s => s) + .filter(s => !ignoredList.includes(s)); + if (allowedPermissions.some(allow => !safeList.includes(allow))) { // This iframe is probably too powerful to be embedded return null; } @@ -101,7 +110,7 @@ async function getOEmbedPlayer($: cheerio.CheerioAPI, pageUrl: string): Promise< url, width, height, - allow: allowedFeatures + allow: allowedPermissions } } diff --git a/test/index.ts b/test/index.ts index 98e0dc4..9b856a0 100644 --- a/test/index.ts +++ b/test/index.ts @@ -294,12 +294,24 @@ describe("oEmbed", () => { await setUpFastify('oembed-allow-fullscreen.json'); const summary = await summaly(host); expect(summary.player.url).toBe('https://example.com/'); + expect(summary.player.allow).toStrictEqual(['fullscreen']) }); - test('allows safelisted features', async () => { - await setUpFastify('oembed-allow-safelisted-features.json'); + test('allows safelisted permissions', async () => { + await setUpFastify('oembed-allow-safelisted-permissions.json'); const summary = await summaly(host); expect(summary.player.url).toBe('https://example.com/'); + expect(summary.player.allow).toStrictEqual([ + 'autoplay', 'clipboard-write', 'fullscreen', + 'encrypted-media', 'picture-in-picture', 'web-share', + ]); + }); + + test('ignores rare permissions', async () => { + await setUpFastify('oembed-ignore-rare-permissions.json'); + const summary = await summaly(host); + expect(summary.player.url).toBe('https://example.com/'); + expect(summary.player.allow).toStrictEqual(['autoplay']); }); test('oEmbed with relative path', async () => { diff --git a/test/oembed/oembed-allow-safelisted-features.json b/test/oembed/oembed-allow-safelisted-permissions.json similarity index 62% rename from test/oembed/oembed-allow-safelisted-features.json rename to test/oembed/oembed-allow-safelisted-permissions.json index 94cb9ef..247441b 100644 --- a/test/oembed/oembed-allow-safelisted-features.json +++ b/test/oembed/oembed-allow-safelisted-permissions.json @@ -1,7 +1,7 @@ { "version": "1.0", "type": "rich", - "html": "", + "html": "", "width": 500, "height": 300 } diff --git a/test/oembed/oembed-ignore-rare-permissions.json b/test/oembed/oembed-ignore-rare-permissions.json new file mode 100644 index 0000000..78e7fc8 --- /dev/null +++ b/test/oembed/oembed-ignore-rare-permissions.json @@ -0,0 +1,7 @@ +{ + "version": "1.0", + "type": "rich", + "html": "", + "width": 500, + "height": 300 +}