RubyGems - jekyll-embed-urls - Versions diffs - 0.3.3 → 0.4.3 - Mend

jekyll-embed-urls 0.3.3 → 0.4.3

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e8b338448bae54c12ee6c9119852b2d93859ddd032c242ace46c0515eb2a4eb
-  data.tar.gz: fc960acd1bec7c2f189e7c46cf20739026395700827dd7b5f79c6937178c5c0a
+  metadata.gz: 938576c9cdee4a9b13de0e7d2d17983db2704f7882352d5a88010c66c8ddb122
+  data.tar.gz: e34c7de8e8d9b4b36d3b995888015362fd1a561db17cd3b4304bca252f12168c
 SHA512:
-  metadata.gz: db3a88054e7716581d5b87dbf302138331e7e8b11571946d0389eb93c9e2cdc5d9b3e5212cfe7af941d7d9346893e69b80c26d5aabec717d12b0ff4cd94a69b9
-  data.tar.gz: f5ef11ac9fa6b6ab8d0826cb0d024ff4a01de43645a7123e4b28832f29a7a61eef332004646618834fa80f2f7f2bb870efe074cd32200112364da3cc143c3adc
+  metadata.gz: 3c4cb82fb1f9accb6250dbe4b0460cde02867b7bf4b1befb93d2ca8c2f1c4bdb7204c9ceb30847bea1b1f7283be4d72f33137fcbc01c08bfce2ae93cda593cb7
+  data.tar.gz: 0e9f02488eb339c43c33c7a90f0192af3c2e069f038b2b399f6eba991423853589277e88369c0d920e03003957e2d26f3106b487db8b0b300e414abf02394625

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,29 @@
 # Changelog
+## v0.4.3
+* Correctly use Feature Policy
+## v0.4.2
+* Fix on v0.4.1
+## v0.4.1
+* Don't fail if remote URL returns an empty body
+## v0.4.0
+* Almost a complete rewrite.
+* Does its best to prevent visitor tracking.
+* Embed URLs with OEmbed, OGP and fallbacks to discover title and other
+  stuff.
+* If using Jekyll >= 4.2.0, finds URLs in content and replaces for HTML
+  embed.
+* Customizable templates.
+* Uses [UrlPrivacy](https://0xacab.org/sutty/url-privacy) to prevent
+  tracking.
 ## v0.3.3
 * Add `allow-popups` to sandbox so you can open links in a new window.

data/README.md CHANGED Viewed

@@ -1,8 +1,14 @@
 # jekyll-embed-urls
-This plugin finds the URL previsualization and replaces them in posts by
-using [OEmbed](https://oembed.com/) and other techniques.
+This plugin converts URLs to their previsualization by using
+[OEmbed](https://oembed.com/), [OGP](http://ogp.me/).  It fallbacks to
+showing a card with basic information.
+While developing this plugin, we found out that OEmbed providers tend to
+inject JavaScript and other ways of tracking users, so this plugin does
+its best to prevent it.
+For OGP and fallback, you can modify the templates.
 ## Installation
@@ -27,6 +33,37 @@ Add the plugin to your `_config.yml`:
 ```yaml
 plugins:
 - jekyll-embed-urls
+embed:
+# Extra elements to remove
+  scrub:
+  - form
+  - input
+  - textarea
+  - button
+  - fieldset
+  - select
+  - option
+  - optgroup
+  - canvas
+  - area
+  - map
+# Attribute values can be strings or array of strings
+  attributes:
+    referrerpolicy: strict-origin-when-cross-origin
+    sandbox:
+    - allow-scripts
+    - allow-popups
+    allow:
+    - fullscreen;
+    - gyroscope;
+    - picture-in-picture;
+    - clipboard-write;
+    loading: 'lazy'
+    controls: true
+    rel:
+    - noopener
+    - noreferrer
+    target: _blank
 ```
 Then, when you want to embed an URL (like a video) in a post, simply
@@ -49,6 +86,90 @@ paragraphs but it needs to be in its own block of text.
 **Another note:** [Invidious doesn't support OEmbed
 yet](https://github.com/omarroth/invidious/issues/1222) :P
+## Themes
+You can also use it as a Liquid filter, for instance:
+```html
+{{ page.embed_url | embed }}
+```
+The `embed` filter takes an URL and replaces it for the HTML.  Other
+filters are `oembed`, `ogp` and `fallback`.
+### Templates
+You can modify the templates by providing your own include files,
+`_includes/ogp.html` and `_includes/fallback.html`.  We don't add any
+CSS so you can develop your own.
+To access default includes, run `bundle show jekyll-embed-urls` and copy
+the files from the `_includes` directory to your site.
+## Facebook and Instagram
+Facebook deprecated their OEmbed API and now a token is required for
+embedding Facebook and Instagram URLs.  Set it as an environtment
+variable named `OEMBED_FACEBOOK_TOKEN`.
+If you don't have it, this plugin make a best effort attempt.  Instagram
+will be available through OGP, but their image URLs expire after
+a certain time, so your site may appear broken after a while.  We could
+download them but we decided not to because it may infringe on
+intellectual property laws and personal rights such as privacy, and
+consequently put our service at risk.
+It's our position that there're legitimate uses for downloading remote
+media, such as for archiving collective memory (police brutality, public
+figures speeches, etc.) that may be removed without notice.
+In these cases our recommendation is always not to host with corporate
+services, since they don't share our politics and actively work against
+us.
+We're hotlinking and copying text though, assuming that falls under fair
+use rights.
+## Tracking prevention
+Anti-tracking techniques implemented are:
+* `<script>` and other tags are removed.  No external JS is loaded in
+  a local context.
+* `<form>`s and their elements are removed.
+* `<canvas>`, `<area>`, `<map>` are removed.
+* `<iframe>`s are
+  [sandboxed](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox).
+* `<img>`s are lazy loaded.  This is not strickly anti-tracking but
+  images are loaded when needed.
+* All URLs get their tracking params removed by
+  [UrlPrivacy](https://0xacab.org/sutty/url-privacy)
+* [Referrer
+  Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
+  is implemented for supported elements.  Extrangely, `<video>` and
+  `<audio>` don't seem to support it.
+* External links open in a new tab and have `rel="noopener noreferrer"`
+  to prevent [reverse
+  tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing).
+If you find more useful techniques, please [open an issue
+report](https://0xacab.org/sutty/jekyll/jekyll-embed-urls/-/issues).
+## Feature policy
+[Feature
+policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
+is a list of directives for allowing or denying features.
+The directives are separated by semicolons.  Any directive not mentioned
+in the configuration is assumed to have a "none" policy by this plugin.
 ## Contributing

data/_includes/fallback.html ADDED Viewed

@@ -0,0 +1,17 @@
+<article class="fallback">
+  {%- if page.image -%}
+    <img referrerpolicy="{{ embed.referrerpolicy }}" loading="{{ embed.loading }}" src="{{ page.image }}" class="img-fluid" />
+  {%- endif -%}
+  <h1>{{ page.title }}</h1>
+  <p class="lead">{{ page.description }}</p>
+  <p><small>
+    <a
+      href="{{ page.url }}"
+      referrerpolicy="{{ embed.referrerpolicy }}"
+      target="{{ embed.target }}"
+      rel="{{ embed.rel }}">
+      {{ page.url }}
+    </a>
+  </small><p>
+</article>

data/_includes/ogp.html ADDED Viewed

@@ -0,0 +1,23 @@
+<article class="ogp" lang="{{ page.locale }}">
+  {%- if page.video -%}
+    <video poster="{{ page.image }}" class="img-fluid" {{ embed.controls }} src="{{ page.video }}"/>
+  {%- elsif page.image -%}
+    <img referrerpolicy="{{ embed.referrerpolicy }}" loading="{{ embed.loading }}" src="{{ page.image }}" class="img-fluid" />
+  {%- endif -%}
+  {%- if page.audio -%}
+    <audio class="img-fluid" {{ embed.controls }} src="{{ page.audio }}"/>
+  {%- endif -%}
+  <h1>{{ page.title }}</h1>
+  <p class="lead">{{ page.description }}</p>
+  <p><small>
+    <a
+      href="{{ page.url }}"
+      referrerpolicy="{{ embed.referrerpolicy }}"
+      target="{{ embed.target }}"
+      rel="{{ embed.rel }}">
+      {{ page.url }}
+    </a>
+  </small><p>
+</article>

data/lib/jekyll/embed/cache.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module Jekyll
+  class Embed
+    # Jekyll cache that behaves like ActiveSupport::Cache
+    class Cache < Jekyll::Cache
+      def write(key, value)
+        self[key] = value
+      end
+      def read(key)
+        self[key]
+      rescue
+        nil
+      end
+    end
+  end
+end

data/lib/jekyll/embed/content.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require 'cgi'
+module Jekyll
+  class Embed
+    class Content
+      URL_RE = /<p[^>]*>[\s\n]*(?<url>https?:\/\/[^<\s\n]+)[\s\n]*<\/p>/m.freeze
+      class << self
+        # Find URLs on paragraphs.  We do it after rendering because
+        # sometimes we use HTML instead of pure Markdown and this way we
+        # catch both.
+        def embed!(content)
+          URL_RE.match(content) do |match|
+            embed = Jekyll::Embed.embed CGI.unescapeHTML(match[:url])
+            content.sub! URL_RE, embed
+          end
+        end
+      end
+    end
+  end
+end
+Jekyll::Hooks.register :posts, :post_convert do |post|
+  Jekyll::Embed::Content.embed! post.content
+end

data/lib/jekyll/embed/filter.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module Jekyll
+  class Embed
+    module Filter
+      # This filter takes the URL passed as input an returns its HTML
+      # representation.  Embed takes care of everything else.
+      def embed(url)
+        return url unless url.is_a? String
+        Embed.embed url
+      end
+      def oembed(url)
+        return url unless url.is_a? String
+        Embed.oembed url
+      end
+      def ogp(url)
+        return url unless url.is_a? String
+        Embed.ogp url
+      end
+      def fallback(url)
+        return url unless url.is_a? String
+        Embed.fallback url
+      end
+    end
+  end
+end
+Liquid::Template.register_filter(Jekyll::Embed::Filter)

data/lib/jekyll/embed/oembed.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+require 'oembed'
+module OEmbed
+  module ProviderDecorator
+    def self.included(base)
+      base.class_eval do
+        def http_get(url, _)
+          Jekyll::Embed.get(url.to_s).body
+        rescue Faraday::Error
+          raise OEmbed::UnknownResponse
+        end
+      end
+    end
+  end
+end
+OEmbed::Provider.include OEmbed::ProviderDecorator

data/lib/jekyll/embed.rb ADDED Viewed

@@ -0,0 +1,335 @@
+# frozen_string_literal: true
+require 'faraday'
+require 'faraday-http-cache'
+require 'faraday_middleware/response/follow_redirects'
+require 'loofah'
+require 'ogp'
+require 'url_privacy'
+require_relative 'embed/oembed'
+require_relative 'embed/cache'
+if Gem::Version.new(Jekyll::VERSION) >= Gem::Version.new('4.2.0')
+  require_relative 'embed/content'
+else
+  Jekyll.logger.warn "Upgrade to Jekyll >= 4.2.0 to embed URLs in content"
+end
+OEmbed::Providers.register_all
+OEmbed::Providers.register_fallback(OEmbed::ProviderDiscovery,
+                                    OEmbed::Providers::Noembed)
+module Jekyll
+  # The idea with this class is to find the best safe representation of
+  # a link.  For a YouTube video it could be the sandboxed iframe.  This
+  # loads the video and allows you to reproduce it while preventing YT
+  # to call home and send data about your users.  But other social networks
+  # will try to take control of their containers by modifying the page.
+  # They resist sandboxing and don't work correctly.  For them, we
+  # cleanup unwanted HTML tags such as <script>, and return the HTML,
+  # which you can style using CSS.  Twitter does this.
+  #
+  # Others are only available through OGP, so we retrieve the metadata
+  # and render a template, which you can provide in your own theme too.
+  #
+  # We also try for microformats and we would look at Schema.org too but
+  # doesn't seem to be a gem for it yet.
+  #
+  # If the URL doesn't provide anything at all we get the URL, title and
+  # date of last visit.
+  #
+  # Isn't it nice that the corporations that requires us to use OEmbed,
+  # OGP, Twitter Cards, Schema.org and other metadata, don't do use
+  # themselves?
+  #
+  # Also we're going to use heavy caching so we don't hit rate limits or
+  # lose the representation if the service is down or the URL is
+  # removed.  We may be tempted to store the resources locally (images,
+  # videos, audio) but we have to take into account that people have
+  # legitimate reasons to remove media from the Internet.
+  class Embed
+    # Attributes to apply by HTMLElement
+    IFRAME_ATTRIBUTES = %w[allow sandbox referrerpolicy loading].freeze
+    IMAGE_ATTRIBUTES = %w[referrerpolicy loading].freeze
+    MEDIA_ATTRIBUTES = %w[controls].freeze
+    A_ATTRIBUTES = %w[referrerpolicy rel target].freeze
+    # Directive from Feature Policy
+    # @see {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#directives}
+    DIRECTIVES = %w[accelerometer ambient-light-sensor autoplay battery camera display-capture document-domain encrypted-media execution-while-not-rendered execution-while-out-of-viewport fullscreen gamepad geolocation gyroscope layout-animations legacy-image-formats magnetometer microphone midi navigation-override oversized-images payment picture-in-picture publickey-credentials-get speaker-selection sync-xhr usb screen-wake-lock web-share xr-spatial-tracking].freeze
+    # Templates
+    INCLUDE_OGP = '{% include ogp.html site=site page=page %}'
+    INCLUDE_FALLBACK = '{% include fallback.html site=site page=page %}'
+    # The default referrer policy only sends the origin URL (not the
+    # full URL, only the protocol/scheme and domain part) if the remote
+    # URL is HTTPS.
+    #
+    # @see {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy}
+    #
+    # The default sandbox restrictions only allow scripts in the context
+    # of the iframe and opening new tabs.
+    #
+    # @see {https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox}
+    DEFAULT_CONFIG = {
+      'scrub' => %w[form input textarea button fieldset select option optgroup canvas area map],
+      'attributes' => {
+        'referrerpolicy' => 'strict-origin-when-cross-origin',
+        'sandbox' => %w[allow-scripts allow-popups],
+        'allow' => %w[fullscreen; gyroscope; picture-in-picture; clipboard-write;],
+        'loading' => 'lazy',
+        'controls' => true,
+        'rel' => %w[noopener noreferrer],
+        'target' => '_blank'
+      }
+    }
+    class << self
+      def site
+        unless @site
+          raise Jekyll::Errors::InvalidConfigurationError,
+            "Site is missing, configure with `Jekyll::Embed.site = site`"
+        end
+        @site
+      end
+      # This is an initializer of sorts
+      #
+      # @param [Jekyll::Site]
+      # @return [Jekyll::Site]
+      def site=(site)
+        raise ArgumentError, "Site must be a Jekyll::Site" unless site.is_a? Jekyll::Site
+        @site = site
+        # Add the _includes dir so we can provide default templates that
+        # can be overriden locally or by the theme.
+        site.includes_load_paths << File.expand_path(File.join(__dir__, '..', '..', '_includes'))
+        # Since we're embedding, we're allowing iframes
+        Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2 << 'iframe'
+        # Other elements that are disallowed
+        config['scrub']&.each do |scrub|
+          Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.delete(scrub)
+        end
+        payload['embed'] = config['attributes']
+        site
+      end
+      # Render the URL as HTML
+      #
+      # 1. Try oembed for video and image
+      # 2. If rich oembed, cleanup
+      # 3. If OGP, render templates
+      # 4. Else, render fallback template
+      #
+      # @param [String] URL
+      # @return [String] HTML
+      def embed(url)
+        url.strip!
+        # Quick check
+        raise URI::Error unless url.start_with? 'http'
+        # Just to verify the URL is valid
+        URI.parse url
+        oembed(url) || ogp(url) || fallback(url)
+      rescue URI::Error
+        Jekyll.logger.warn "#{url.inspect} is not a valid URL"
+        url
+      end
+      # @return [Hash]
+      def config
+        @config ||= Jekyll::Utils.deep_merge_hashes(DEFAULT_CONFIG, (site.config['embed'] || {})).tap do |c|
+          c['attributes']['allow'].concat (DIRECTIVES - c.dig('attributes', 'allow').join.split(';').map { |s| s.split(' ').first }).join(" 'none';|").split('|')
+        end
+      end
+      # Try for OEmbed
+      #
+      # @param [String] URL
+      # @return [String,NilClass] Sanitized HTML or nil
+      def oembed(url)
+        cache.getset(url) do
+          oembed = OEmbed::Providers.get url
+          # Prevent caching of nil?
+          raise OEmbed::Error unless oembed.respond_to? :html
+          # Cleanup.  We don't allow running remote scripts locally,
+          # period.
+          cleanup(Loofah.fragment(oembed.html).scrub!(:prune), url).to_s
+        end
+      rescue OEmbed::Error
+        nil
+      end
+      # Try for OGP.
+      # @param [String] URL
+      # @return [String,NilClass]
+      def ogp(url)
+        cache.getset(url) do
+          ogp = OGP::OpenGraph.new get(url).body
+          context = info.dup
+          context[:registers][:page] = payload['page'] = ogp.data
+          ogp_template.render! payload, context
+        end
+      rescue OGP::MalformedSourceError, OGP::MissingAttributeError, Faraday::Error
+        nil
+      end
+      # Try something
+      def fallback(url)
+        cache.getset(url) do
+          html        = Nokogiri::HTML.fragment get(url).body
+          element     = html.css('article').first
+          element   ||= html.css('section').first
+          element   ||= html.css('main').first
+          element   ||= html.css('body').first
+          title       = html.css('title').first
+          description = html.css('meta[name="description"]').first
+          context = info.dup
+          context[:registers][:page] = payload['page'] = {
+            'title' => text(title),
+            'description' => text(description),
+            'url' => url,
+            'image' => element&.css('img')&.first&.public_send(:[], 'src')
+          }
+          fallback_template.render! payload, context
+        end
+      rescue Faraday::Error, Nokogiri::SyntaxError
+        nil
+      end
+      # @param [String] URL
+      # @return [Faraday::Response]
+      def get(url)
+        @get_cache ||= {}
+        @get_cache[url] ||= http_client.get url
+      end
+      # @return [Jekyll::Embed::Cache]
+      def cache
+        @cache ||= Jekyll::Embed::Cache.new('Jekyll::Embed')
+      end
+      # @return [Faraday::Connection]
+      def http_client
+        @http_client ||= Faraday.new do |builder|
+          builder.use FaradayMiddleware::FollowRedirects
+          builder.use :http_cache, shared_cache: false, store: cache, serializer: Marshal
+        end
+      end
+      def cleanup(html, url)
+        # Add our own attributes
+        html.css('iframe').each do |iframe|
+          IFRAME_ATTRIBUTES.each do |attr|
+            iframe[attr] = value_for_attr(attr)
+          end
+          # Embedding itself require allow-same-origin
+          iframe['sandbox'] += allow_same_origin(url)
+        end
+        html.css('audio, video').each do |media|
+          MEDIA_ATTRIBUTES.each do |attr|
+            media[attr] = value_for_attr(attr)
+          end
+          media['src'] = UrlPrivacy.clean media['src']
+        end
+        html.css('img').each do |img|
+          IMAGE_ATTRIBUTES.each do |attr|
+            img[attr] = value_for_attr(attr)
+          end
+        end
+        html.css('a').each do |a|
+          A_ATTRIBUTES.each do |attr|
+            a[attr] = value_for_attr(attr)
+          end
+        end
+        html.css('[src]').each do |element|
+          element['src'] = CGI.escapeHTML(UrlPrivacy.clean(CGI.unescapeHTML(element['src'])))
+        end
+        html.css('[href]').each do |element|
+          element['href'] = CGI.escapeHTML(UrlPrivacy.clean(CGI.unescapeHTML(element['href'])))
+        end
+        # Return the cleaned up HTML
+        html
+      end
+      def text(node)
+        node&.text&.tr("\n", '')&.tr("\r", '')&.strip&.squeeze(' ')
+      end
+      private
+      def fallback_template
+        @fallback_template ||= site.liquid_renderer.file('fallback.html').parse(INCLUDE_FALLBACK)
+      end
+      def ogp_template
+        @ogp_template ||= site.liquid_renderer.file('ogp.html').parse(INCLUDE_OGP)
+      end
+      def info
+        @info ||= {
+          registers: { site: site },
+          strict_filters: site.config.dig('liquid', 'strict_filters'),
+          strict_variables: site.config.dig('liquid', 'strict_variables')
+        }
+      end
+      # @param [String]
+      # @return [String]
+      def value_for_attr(attr)
+        @value_for_attr ||= {}
+        @value_for_attr[attr] ||=
+          case (value = config.dig('attributes', attr))
+            when String then value
+            when Array then value.join(' ')
+          end
+      end
+      # If the iframe comes from the same site, we can allow the same
+      # origin policy on the sandbox.
+      #
+      # @param [String] URL
+      # @return [String]
+      def allow_same_origin(url)
+        unless site.config['url']
+          Jekyll.logger.warn "Add url to _config.yml to determine if the site can embed itself"
+          return ' allow-same-origin'
+        end
+        @allow_same_origin ||= {}
+        @allow_same_origin[url] ||= url.start_with?(site.config['url']) ? '' : ' allow-same-origin'
+      end
+      # Caches it because Jekyll::Site#site_payload returns a new object
+      # everytime.
+      #
+      # @return [Jekyll::Drops::UnifiedPayloadDrop]
+      def payload
+        @payload ||= site.site_payload
+      end
+    end
+  end
+end

data/lib/jekyll-embed-urls.rb CHANGED Viewed

@@ -1,90 +1,9 @@
-require 'oembed'
-require 'cgi'
-require 'oga'
+# frozen_string_literal: true
-# TODO: We tested several of the mainstream embedable contents (YT, IG,
-# Twitter) and specially IG and Twitter just want to take over the page
-# to set their own size, also send metrics.  So they won't work on a
-# sandboxed iframe, which we were expecting, but they also won't be
-# comfortable for visitors to use.  We're planning on using OGP and
-# render our own partials (configurable) for this.  This way everything
-# is safer and the embedded content even adapts to the site's design.
-#
-# So, expect a major refactoring!
+require_relative 'jekyll/embed'
+require_relative 'jekyll/embed/filter'
-OEmbed::Providers.register_all
-OEmbed::Providers.register_fallback(OEmbed::ProviderDiscovery,
-                                    OEmbed::Providers::Noembed)
-# Process the content of documents before rendering them to find URLs in
-# a block.
-Jekyll::Hooks.register :site, :pre_render do |site|
-  # Cache results
-  cache ||= Jekyll::Cache.new('Jekyll::OEmbed::Urls')
-  # TODO: Make configurable
-  referrer_policy = 'strict-origin-when-cross-origin'
-  # Only modify documents to be written
-  site.docs_to_write.each do |doc|
-    # Skip text paragraphs
-    # XXX: Find link in first line
-    next unless %r{\n\n\s*<?https?://} =~ doc.content
-    # Split texts by markdown blocks
-    doc.content = doc.content.split("\n\n").map do |p|
-      # Only process lines with URLs
-      next p unless %r{\A\s*<?https?://} =~ p
-      # Remove empty characters and markdown autolinks
-      p = p.strip.tr('<', '').tr('>', '')
-      # @see {https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox}
-      same_origin = p.start_with? site.config['url']
-      Jekyll.logger.debug "Finding OEmbed content for #{p}"
-      # Cache the results
-      cache.getset(p) do
-        Jekyll.logger.debug "=> Not cached, obtaining..."
-        result = OEmbed::Providers.get(p)
-        sandbox = "allow-scripts allow-popups #{same_origin ? '' : 'allow-same-origin'}"
-        # If the embed HTML contains an iframe, make sure it has the
-        # correct attributes.
-        if %r{<iframe } =~ result.html
-          html = Oga.parse_html result.html
-          html.css('iframe').each do |iframe|
-            iframe.attributes.delete_if do |attr|
-              %w[width height].include? attr.name
-            end
-            iframe.attributes << Oga::XML::Attribute.new(name: 'sandbox', value: sandbox)
-            iframe.attributes << Oga::XML::Attribute.new(name: 'referrerpolicy', value: referrer_policy)
-          end
-          html.to_xml
-        else
-          # Return a sandboxed iframe with the size of the HTML.  We
-          # only allow scripts to run inside the iframe and nothing
-          # else.
-          <<~IFRAME
-            <iframe
-              referrerpolicy="#{referrer_policy}"
-              sandbox="#{sandbox}"
-              style="min-width:#{result.width}px;min-height:#{result.height || 0}px"
-              srcdoc="#{CGI.escape_html result.html}"></iframe>
-          IFRAME
-        end
-      rescue OEmbed::Error => e
-        # If the URL doesn't support OEmbed just return an external
-        # link.
-        #
-        # TODO: Fetch information with OGP and render a template.
-        Jekyll.logger.warn "#{p} is not oembeddable or URL can't be fetched, showing as URL: #{e}"
-        %(<p><a href="#{p}" target="_blank" referrerpolicy="#{referrer_policy}">#{p}</a></p>)
-      end
-    # Rebuild the content
-    end.join("\n\n")
-  end
+# Configure Embed
+Jekyll::Hooks.register :site, :after_init do |site|
+  Jekyll::Embed.site = site
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jekyll-embed-urls
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.3
 platform: ruby
 authors:
 - f
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-30 00:00:00.000000000 Z
+date: 2021-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -30,28 +30,98 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.13'
+        version: '0.15'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.13'
+        version: '0.15'
 - !ruby/object:Gem::Dependency
-  name: oga
+  name: loofah
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.15'
+        version: '2.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.15'
+        version: '2.9'
+- !ruby/object:Gem::Dependency
+  name: ogp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: faraday-http-cache
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: faraday_middleware
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: url-privacy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Replaces URLs for their previsualization in Jekyll posts
 email:
 - f@sutty.nl
@@ -65,7 +135,14 @@ files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
+- _includes/fallback.html
+- _includes/ogp.html
 - lib/jekyll-embed-urls.rb
+- lib/jekyll/embed.rb
+- lib/jekyll/embed/cache.rb
+- lib/jekyll/embed/content.rb
+- lib/jekyll/embed/filter.rb
+- lib/jekyll/embed/oembed.rb
 homepage: https://0xacab.org/sutty/jekyll/jekyll-embed-urls
 licenses:
 - GPL-3.0
@@ -88,9 +165,9 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - "~>"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '2.6'
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="