built

CHANGELOG.md

@@ -1,3 +1,7 @@
+Unreleased
+------------------
+* oEmbed type=richの制限的なサポート
+
 3.0.4 / 2023-02-12
 ------------------
 * 不要な依存関係を除去

README.md

@@ -21,7 +21,7 @@ import { summaly } from 'summaly';
 summaly(url[, opts])
 ```
 
-As Fastify plugin:  
+As Fastify plugin:
 (will listen `GET` of `/`)
 
 ```javascript
@@ -60,27 +60,39 @@ interface IPlugin {
 
 A Promise of an Object that contains properties below:
 
-※ Almost all values are nullable. player shoud not be null.
+※ Almost all values are nullable. player should not be null.
 
 #### Root
 
-| Property        | Type     | Description                              |
-| :-------------- | :------- | :--------------------------------------- |
-| **description** | *string* | The description of the web page          |
-| **icon**        | *string* | The url of the icon of the web page      |
-| **sitename**    | *string* | The name of the web site                 |
-| **thumbnail**   | *string* | The url of the thumbnail of the web page |
-| **player**      | *Player* | The player of the web page               |
-| **title**       | *string* | The title of the web page                |
-| **url**         | *string* | The url of the web page                  |
+| Property        | Type               | Description                                 |
+| :-------------- | :-------           | :------------------------------------------ |
+| **description** | *string*           | The description of the web page             |
+| **icon**        | *string*           | The url of the icon of the web page         |
+| **sitename**    | *string*           | The name of the web site                    |
+| **thumbnail**   | *string*           | The url of the thumbnail of the web page    |
+| **oEmbed**      | *OEmbedRichIframe* | The oEmbed rich iframe info of the web page |
+| **player**      | *Player*           | The player of the web page                  |
+| **title**       | *string*           | The title of the web page                   |
+| **url**         | *string*           | The url of the web page                     |
 
 #### Player
 
-| Property        | Type     | Description                              |
-| :-------------- | :------- | :--------------------------------------- |
-| **url**         | *string* | The url of the player                    |
-| **width**       | *number* | The width of the player                  |
-| **height**      | *number* | The height of the player                 |
+| Property        | Type       | Description                                     |
+| :-------------- | :--------- | :---------------------------------------------- |
+| **url**         | *string*   | The url of the player                           |
+| **width**       | *number*   | The width of the player                         |
+| **height**      | *number*   | The height of the player                        |
+| **allow**       | *string[]* | The names of the allowed permissions for iframe |
+
+Currently the possible items in `allow` are:
+
+* `autoplay`
+* `clipboard-write`
+* `fullscreen`
+* `encrypted-media`
+* `picture-in-picture`
+
+See [Permissions Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy) in MDN for details of them.
 
 ### Example
 

built/general.d.ts

@@ -1,4 +1,4 @@
 import * as URL from 'node:url';
-import Summary from './summary.js';
+import type { default as Summary } from './summary.js';
 declare const _default: (url: URL.Url, lang?: string | null) => Promise<Summary | null>;
 export default _default;

built/general.js

@@ -2,7 +2,102 @@ import * as URL from 'node:url';
 import clip from './utils/clip.js';
 import cleanupTitle from './utils/cleanup-title.js';
 import { decode as decodeHtml } from 'html-entities';
-import { head, scpaping } from './utils/got.js';
+import { get, head, scpaping } from './utils/got.js';
+import * as cheerio from 'cheerio';
+/**
+ * Contains only the html snippet for a sanitized iframe as the thumbnail is
+ * mostly covered in OpenGraph instead.
+ *
+ * Width should always be 100%.
+ */
+async function getOEmbedPlayer($, pageUrl) {
+    const href = $('link[type="application/json+oembed"]').attr('href');
+    if (!href) {
+        return null;
+    }
+    // XXX: Use global URL object instead of the deprecated `node:url`
+    // Disallow relative URL as no one seems to use it
+    const oEmbed = await get(URL.resolve(pageUrl, href));
+    const body = (() => {
+        try {
+            return JSON.parse(oEmbed);
+        }
+        catch { }
+    })();
+    if (!body || body.version !== '1.0' || !['rich', 'video'].includes(body.type)) {
+        // Not a well formed rich oEmbed
+        return null;
+    }
+    if (!body.html.startsWith('<iframe ') || !body.html.endsWith('</iframe>')) {
+        // It includes something else than an iframe
+        return null;
+    }
+    const oEmbedHtml = cheerio.load(body.html);
+    const iframe = oEmbedHtml("iframe");
+    if (iframe.length !== 1) {
+        // Somehow we either have multiple iframes or none
+        return null;
+    }
+    if (iframe.parents().length !== 2) {
+        // Should only have the body and html elements as the parents
+        return null;
+    }
+    const url = iframe.attr('src');
+    if (!url) {
+        // No src?
+        return null;
+    }
+    // XXX: Use global URL object instead of the deprecated `node:url`
+    if (URL.parse(url).protocol !== 'https:') {
+        // Allow only HTTPS for best security
+        return null;
+    }
+    // Height is the most important, width is okay to be null. The implementer
+    // should choose fixed height instead of fixed aspect ratio if width is null.
+    //
+    // For example, Spotify's embed page does not strictly follow aspect ratio
+    // and thus keeping the height is better than keeping the aspect ratio.
+    //
+    // Spotify gives `width: 100%, height: 152px` for iframe while `width: 456,
+    // height: 152` for oEmbed data, and we treat any percentages as null here.
+    let width = Number(iframe.attr('width') ?? body.width);
+    if (Number.isNaN(width)) {
+        width = null;
+    }
+    const height = Math.min(Number(iframe.attr('height') ?? body.height), 1024);
+    if (Number.isNaN(height)) {
+        // No proper height info
+        return null;
+    }
+    // TODO: This implementation only allows basic syntax of `allow`.
+    // Might need to implement better later.
+    const safeList = [
+        'autoplay',
+        'clipboard-write',
+        'fullscreen',
+        'encrypted-media',
+        'picture-in-picture',
+        'web-share',
+    ];
+    // YouTube has these but they are almost never used.
+    const ignoredList = [
+        'gyroscope',
+        'accelerometer',
+    ];
+    const allowedPermissions = (iframe.attr('allow') ?? '').split(/\s*;\s*/g)
+        .filter(s => s)
+        .filter(s => !ignoredList.includes(s));
+    if (allowedPermissions.some(allow => !safeList.includes(allow))) {
+        // This iframe is probably too powerful to be embedded
+        return null;
+    }
+    return {
+        url,
+        width,
+        height,
+        allow: allowedPermissions
+    };
+}
 export default async (url, lang = null) => {
     if (lang && !lang.match(/^[\w-]+(\s*,\s*[\w-]+)*$/))
         lang = null;
@@ -73,10 +168,16 @@ export default async (url, lang = null) => {
         // スラッシュを付けて返却
         return '/' + relativeURLString;
     };
-    const icon = await find(favicon) ||
-        // 相対指定を絶対指定に変換し再試行
-        await find(toAbsolute(favicon)) ||
-        null;
+    const getIcon = async () => {
+        return await find(favicon) ||
+            // 相対指定を絶対指定に変換し再試行
+            await find(toAbsolute(favicon)) ||
+            null;
+    };
+    const [icon, oEmbed] = await Promise.all([
+        getIcon(),
+        getOEmbedPlayer($, url.href),
+    ]);
     // Clean up the title
     title = cleanupTitle(title, siteName);
     if (title === '') {
@@ -87,10 +188,11 @@ export default async (url, lang = null) => {
         icon: icon || null,
         description: description || null,
         thumbnail: image || null,
-        player: {
+        player: oEmbed ?? {
             url: playerUrl || null,
             width: Number.isNaN(playerWidth) ? null : playerWidth,
-            height: Number.isNaN(playerHeight) ? null : playerHeight
+            height: Number.isNaN(playerHeight) ? null : playerHeight,
+            allow: ['fullscreen', 'encrypted-media'],
         },
         sitename: siteName || null,
         sensitive,

built/plugins/amazon.js

@@ -36,8 +36,9 @@ export async function summarize(url) {
         player: {
             url: playerUrl || null,
             width: playerWidth ? parseInt(playerWidth) : null,
-            height: playerHeight ? parseInt(playerHeight) : null
+            height: playerHeight ? parseInt(playerHeight) : null,
+            allow: playerUrl ? ['fullscreen', 'encrypted-media'] : [],
         },
-        sitename: 'Amazon'
+        sitename: 'Amazon',
     };
 }

built/plugins/wikipedia.js

@@ -29,8 +29,9 @@ export async function summarize(url) {
         player: {
             url: null,
             width: null,
-            height: null
+            height: null,
+            allow: [],
         },
-        sitename: 'Wikipedia'
+        sitename: 'Wikipedia',
     };
 }

built/summary.d.ts

@@ -42,4 +42,8 @@ export declare type Player = {
      * The height of the player
      */
     height: number | null;
+    /**
+     * The allowed permissions of the iframe
+     */
+    allow: string[];
 };

built/utils/got.js

@@ -84,14 +84,15 @@ async function getResponse(args) {
             limit: 0,
         },
     });
-    return await receiveResponce({ req, typeFilter: args.typeFilter });
+    return await receiveResponse({ req, typeFilter: args.typeFilter });
 }
-async function receiveResponce(args) {
+async function receiveResponse(args) {
     const req = args.req;
     const maxSize = MAX_RESPONSE_SIZE;
     req.on('response', (res) => {
         // Check html
         if (args.typeFilter && !res.headers['content-type']?.match(args.typeFilter)) {
+            // console.warn(res.headers['content-type']);
             req.cancel(`Rejected by type filter ${res.headers['content-type']}`);
             return;
         }

src/general.ts

@@ -4,8 +4,115 @@ import cleanupTitle from './utils/cleanup-title.js';
 
 import { decode as decodeHtml } from 'html-entities';
 
-import { head, scpaping } from './utils/got.js';
-import Summary from './summary.js';
+import { get, head, scpaping } from './utils/got.js';
+import type { default as Summary, Player } from './summary.js';
+import * as cheerio from 'cheerio';
+
+/**
+ * Contains only the html snippet for a sanitized iframe as the thumbnail is
+ * mostly covered in OpenGraph instead.
+ *
+ * Width should always be 100%.
+ */
+async function getOEmbedPlayer($: cheerio.CheerioAPI, pageUrl: string): Promise<Player | null> {
+	const href = $('link[type="application/json+oembed"]').attr('href');
+	if (!href) {
+		return null;
+	}
+
+	// XXX: Use global URL object instead of the deprecated `node:url`
+	// Disallow relative URL as no one seems to use it
+	const oEmbed = await get(URL.resolve(pageUrl, href));
+	const body = (() => {
+		try {
+			return JSON.parse(oEmbed);
+		} catch {}
+	})();
+
+	if (!body || body.version !== '1.0' || !['rich', 'video'].includes(body.type)) {
+		// Not a well formed rich oEmbed
+		return null;
+	}
+
+	if (!body.html.startsWith('<iframe ') || !body.html.endsWith('</iframe>')) {
+		// It includes something else than an iframe
+		return null;
+	}
+
+	const oEmbedHtml = cheerio.load(body.html);
+	const iframe = oEmbedHtml("iframe");
+
+	if (iframe.length !== 1) {
+		// Somehow we either have multiple iframes or none
+		return null;
+	}
+
+	if (iframe.parents().length !== 2) {
+		// Should only have the body and html elements as the parents
+		return null;
+	}
+
+	const url = iframe.attr('src');
+	if (!url) {
+		// No src?
+		return null;
+	}
+
+	// XXX: Use global URL object instead of the deprecated `node:url`
+	if (URL.parse(url).protocol !== 'https:') {
+		// Allow only HTTPS for best security
+		return null;
+	}
+
+	// Height is the most important, width is okay to be null. The implementer
+	// should choose fixed height instead of fixed aspect ratio if width is null.
+	//
+	// For example, Spotify's embed page does not strictly follow aspect ratio
+	// and thus keeping the height is better than keeping the aspect ratio.
+	//
+	// Spotify gives `width: 100%, height: 152px` for iframe while `width: 456,
+	// height: 152` for oEmbed data, and we treat any percentages as null here.
+	let width: number | null = Number(iframe.attr('width') ?? body.width);
+	if (Number.isNaN(width)) {
+		width = null;
+	}
+	const height = Math.min(Number(iframe.attr('height') ?? body.height), 1024);
+	if (Number.isNaN(height)) {
+		// No proper height info
+		return null;
+	}
+
+	// TODO: This implementation only allows basic syntax of `allow`.
+	// Might need to implement better later.
+	const safeList = [
+		'autoplay',
+		'clipboard-write',
+		'fullscreen',
+		'encrypted-media',
+		'picture-in-picture',
+		'web-share',
+	];
+	// YouTube has these but they are almost never used.
+	const ignoredList = [
+		'gyroscope',
+		'accelerometer',
+	];
+	const allowedPermissions =
+		(iframe.attr('allow') ?? '').split(/\s*;\s*/g)
+			.filter(s => s)
+			.filter(s => !ignoredList.includes(s));
+	if (allowedPermissions.some(allow => !safeList.includes(allow))) {
+		// This iframe is probably too powerful to be embedded
+		return null;
+	}
+
+	return {
+		url,
+		width,
+		height,
+		allow: allowedPermissions
+	}
+}
 
 export default async (url: URL.Url, lang: string | null = null): Promise<Summary | null> => {
 	if (lang && !lang.match(/^[\w-]+(\s*,\s*[\w-]+)*$/)) lang = null;
@@ -104,10 +211,17 @@ export default async (url: URL.Url, lang: string | null = null): Promise<Summary
 		return '/' + relativeURLString;
 	};
 
-	const icon = await find(favicon) ||
-		// 相対指定を絶対指定に変換し再試行
-		await find(toAbsolute(favicon)) ||
-		null;
+	const getIcon = async () => {
+		return await find(favicon) ||
+			// 相対指定を絶対指定に変換し再試行
+			await find(toAbsolute(favicon)) ||
+			null;
+	}
+
+	const [icon, oEmbed] = await Promise.all([
+		getIcon(),
+		getOEmbedPlayer($, url.href),
+	])
 
 	// Clean up the title
 	title = cleanupTitle(title, siteName);
@@ -121,10 +235,11 @@ export default async (url: URL.Url, lang: string | null = null): Promise<Summary
 		icon: icon || null,
 		description: description || null,
 		thumbnail: image || null,
-		player: {
+		player: oEmbed ?? {
 			url: playerUrl || null,
 			width: Number.isNaN(playerWidth) ? null : playerWidth,
-			height: Number.isNaN(playerHeight) ? null : playerHeight
+			height: Number.isNaN(playerHeight) ? null : playerHeight,
+			allow: ['fullscreen', 'encrypted-media'],
 		},
 		sitename: siteName || null,
 		sensitive,

src/plugins/amazon.ts

@@ -51,8 +51,9 @@ export async function summarize(url: URL.Url): Promise<summary> {
 		player: {
 			url: playerUrl || null,
 			width: playerWidth ? parseInt(playerWidth) : null,
-			height: playerHeight ? parseInt(playerHeight) : null
+			height: playerHeight ? parseInt(playerHeight) : null,
+			allow: playerUrl ? ['fullscreen', 'encrypted-media'] : [],
 		},
-		sitename: 'Amazon'
+		sitename: 'Amazon',
 	};
 }

src/plugins/wikipedia.ts

@@ -38,8 +38,9 @@ export async function summarize(url: URL.Url): Promise<summary> {
 		player: {
 			url: null,
 			width: null,
-			height: null
+			height: null,
+			allow: [],
 		},
-		sitename: 'Wikipedia'
+		sitename: 'Wikipedia',
 	};
 }

src/summary.ts

@@ -52,4 +52,9 @@ export type Player = {
 	 * The height of the player
 	 */
 	height: number | null;
+
+	/**
+	 * The allowed permissions of the iframe
+	 */
+	allow: string[];
 };

src/utils/got.ts

@@ -108,16 +108,17 @@ async function getResponse(args: GotOptions) {
 		},
 	});
 
-	return await receiveResponce({ req, typeFilter: args.typeFilter });
+	return await receiveResponse({ req, typeFilter: args.typeFilter });
 }
 
-async function receiveResponce<T>(args: { req: Got.CancelableRequest<Got.Response<T>>, typeFilter?: RegExp }) {
+async function receiveResponse<T>(args: { req: Got.CancelableRequest<Got.Response<T>>, typeFilter?: RegExp }) {
 	const req = args.req;
 	const maxSize = MAX_RESPONSE_SIZE;
 
 	req.on('response', (res: Got.Response) => {
 		// Check html
 		if (args.typeFilter && !res.headers['content-type']?.match(args.typeFilter)) {
+			// console.warn(res.headers['content-type']);
 			req.cancel(`Rejected by type filter ${res.headers['content-type']}`);
 			return;
 		}

test/htmls/oembed-and-og-video.html

@@ -0,0 +1,3 @@
+<!DOCTYPE html>
+<meta property="og:video:url" content="https://example.com/embedurl" />
+<link type="application/json+oembed" href="http://localhost:3060/oembed.json" />

test/htmls/oembed-and-og.html

@@ -0,0 +1,3 @@
+<!DOCTYPE html>
+<meta property="og:description" content="blobcats rule the world">
+<link type="application/json+oembed" href="http://localhost:3060/oembed.json" />

test/htmls/oembed-nonexistent-path.html

@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<link type="application/json+oembed" href="http://localhost:3060/oembe.json" />

test/htmls/oembed-relative.html

@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<link type="application/json+oembed" href="oembed.json" />

test/htmls/oembed-wrong.html

@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<link type="application/json+oembed" href="http://localhost+:3060/oembed.json" />

test/htmls/oembed.html

@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<link type="application/json+oembed" href="http://localhost:3060/oembed.json" />

test/index.ts

@@ -6,13 +6,13 @@
 
 /* dependencies below */
 
-import fs from 'node:fs';
+import fs, { readdirSync } from 'node:fs';
 import process from 'node:process';
 import fastify from 'fastify';
 import { summaly } from '../src/index.js';
 import { dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
-import {expect, jest, test, describe, beforeEach, afterEach} from '@jest/globals';
+import { expect, jest, test, describe, beforeEach, afterEach } from '@jest/globals';
 import { Agent as httpAgent } from 'node:http';
 import { Agent as httpsAgent } from 'node:https';
 import { StatusError } from '../src/utils/status-error.js';
@@ -213,6 +213,7 @@ describe('TwitterCard', () => {
 
 		const summary = await summaly(host);
 		expect(summary.player.url).toBe('https://example.com/embedurl');
+		expect(summary.player.allow).toStrictEqual(['fullscreen', 'encrypted-media']);
 	});
 
 	test('Player detection - Pleroma:video => video', async () => {
@@ -224,6 +225,7 @@ describe('TwitterCard', () => {
 
 		const summary = await summaly(host);
 		expect(summary.player.url).toBe('https://example.com/embedurl');
+		expect(summary.player.allow).toStrictEqual(['fullscreen', 'encrypted-media']);
 	});
 
 	test('Player detection - Pleroma:image => image', async () => {
@@ -237,3 +239,122 @@ describe('TwitterCard', () => {
 		expect(summary.thumbnail).toBe('https://example.com/imageurl');
 	});
 });
+
+describe("oEmbed", () => {
+	const setUpFastify = async (oEmbedPath: string, htmlPath = 'htmls/oembed.html') => {
+		app = fastify();
+		app.get('/', (request, reply) => {
+			return reply.send(fs.createReadStream(new URL(htmlPath, import.meta.url)));
+		});
+		app.get('/oembed.json', (request, reply) => {
+			return reply.send(fs.createReadStream(
+				new URL(oEmbedPath, new URL('oembed/', import.meta.url))
+			));
+		});
+		await app.listen({ port });
+	}
+
+	for (const filename of readdirSync(new URL('oembed/invalid', import.meta.url))) {
+		test(`Invalidity test: ${filename}`, async () => {
+			await setUpFastify(`invalid/${filename}`);
+			const summary = await summaly(host);
+			expect(summary.player.url).toBe(null);
+		});
+	}
+
+	test('basic properties', async () => {
+		await setUpFastify('oembed.json');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.player.width).toBe(500);
+		expect(summary.player.height).toBe(300);
+	});
+
+	test('type: video', async () => {
+		await setUpFastify('oembed-video.json');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.player.width).toBe(500);
+		expect(summary.player.height).toBe(300);
+	});
+
+	test('max height', async () => {
+		await setUpFastify('oembed-too-tall.json');
+		const summary = await summaly(host);
+		expect(summary.player.height).toBe(1024);
+	});
+
+	test('children are ignored', async () => {
+		await setUpFastify('oembed-iframe-child.json');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+	});
+
+	test('allows fullscreen', async () => {
+		await setUpFastify('oembed-allow-fullscreen.json');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.player.allow).toStrictEqual(['fullscreen'])
+	});
+
+	test('allows safelisted permissions', async () => {
+		await setUpFastify('oembed-allow-safelisted-permissions.json');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.player.allow).toStrictEqual([
+			'autoplay', 'clipboard-write', 'fullscreen',
+			'encrypted-media', 'picture-in-picture', 'web-share',
+		]);
+	});
+
+	test('ignores rare permissions', async () => {
+		await setUpFastify('oembed-ignore-rare-permissions.json');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.player.allow).toStrictEqual(['autoplay']);
+	});
+
+	test('oEmbed with relative path', async () => {
+		await setUpFastify('oembed.json', 'htmls/oembed-relative.html');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+	});
+
+	test('oEmbed with nonexistent path', async () => {
+		await setUpFastify('oembed.json', 'htmls/oembed-nonexistent-path.html');
+		await expect(summaly(host)).rejects.toThrow('404 Not Found');
+	});
+
+	test('oEmbed with wrong path', async () => {
+		await setUpFastify('oembed.json', 'htmls/oembed-wrong-path.html');
+		await expect(summaly(host)).rejects.toThrow();
+	});
+
+	test('oEmbed with OpenGraph', async () => {
+		await setUpFastify('oembed.json', 'htmls/oembed-and-og.html');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.description).toBe('blobcats rule the world');
+	});
+
+	test('Invalid oEmbed with valid OpenGraph', async () => {
+		await setUpFastify('invalid/oembed-insecure.json', 'htmls/oembed-and-og.html');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe(null);
+		expect(summary.description).toBe('blobcats rule the world');
+	});
+
+	test('oEmbed with og:video', async () => {
+		await setUpFastify('oembed.json', 'htmls/oembed-and-og-video.html');
+		const summary = await summaly(host);
+		expect(summary.player.url).toBe('https://example.com/');
+		expect(summary.player.allow).toStrictEqual([]);
+	});
+
+	test('width: 100%', async () => {
+		await setUpFastify('oembed-percentage-width.json');
+		const summary = await summaly(host);
+		expect(summary.player.width).toBe(null);
+		expect(summary.player.height).toBe(300);
+	});
+});

test/oembed/invalid/oembed-child-iframe.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<div><iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-double-iframes.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe><iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-future.json

@@ -0,0 +1,7 @@
+{
+  "version": "11.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-insecure.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='http://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-invalid-height.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": "blobcat"
+}

test/oembed/invalid/oembed-no-height.json

@@ -0,0 +1,6 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500
+}

test/oembed/invalid/oembed-no-version.json

@@ -0,0 +1,6 @@
+{
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-old.json

@@ -0,0 +1,7 @@
+{
+  "version": "0.1",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-photo.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "photo",
+  "url": "https://example.com/example.avif",
+  "width": 300,
+  "height": 300
+}

test/oembed/invalid/oembed-too-powerful.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/' allow='camera'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/invalid/oembed-too-powerful2.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/' allow='fullscreen;camera'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/oembed-allow-fullscreen.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/' allow='fullscreen'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/oembed-allow-safelisted-permissions.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/' allow='autoplay;clipboard-write;fullscreen;encrypted-media;picture-in-picture;web-share'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/oembed-iframe-child.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'><script>alert('Hahaha I take this world')</script></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/oembed-ignore-rare-permissions.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/' allow='autoplay;gyroscope;accelerometer'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/oembed-percentage-width.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": "100%",
+  "height": 300
+}

test/oembed/oembed-too-tall.json

@@ -0,0 +1,6 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "height": 3000
+}

test/oembed/oembed-video.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "video",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}

test/oembed/oembed.json

@@ -0,0 +1,7 @@
+{
+  "version": "1.0",
+  "type": "rich",
+  "html": "<iframe src='https://example.com/'></iframe>",
+  "width": 500,
+  "height": 300
+}