MSC3338: Adding iframe specifics to preview json #3338
Conversation
turt2live
added
client-server
turt2live
changed the title
| ## Security considerations | ||
|
|
||
| There is always cause for concern when displaying foreign content. However, preview resource is linking to the foreign content and displaying it already. | ||
|
|
There was a problem hiding this comment.
In general, we try to avoid sending clients to third-party URLs, as that can be a privacy issue -- it will reveal the user's IP address, user agent, etc. to the server operator.
There was a problem hiding this comment.
I do understand that, that's why the content is downloaded. However this is an opposite situation - we need/deliberately want to identify ourselves to the other party. I've addressed that in some more detail in the new version.
There was a problem hiding this comment.
Am I understanding correctly that this proposal is to allow an iframe to be returned to a client in response to a URL preview request?
AFAIK the current behavior in Synapse at least is for the server to act as a sort of proxy for the client for URL previews. If the server returned an iframe to the client in response to a URL preview request, it would expose the client directly to a third party server. This seems like a significant change.
There was a problem hiding this comment.
Correct. My argument is that the list of the third parties is configurable. And being clearly marked as an url, client may have a mechanism to choose not to display it. This is for the situations where proxying is not possible.
There was a problem hiding this comment.
Would it be possible for someone to tell me please what is required for oembed with iframe tag to be considered, or a definitive no regardless of the reasons.
I really cannot comment on general usefulness of the feature, I can only say that we are using Synapse/Element company wide and we cannot fully integrate with other systems, which hurts. I cannot imagine that we are the only ones that are using oembed with iframes.
Thanks.
|
I hope the new version provides a bit more exciting reading. |
|
|
||
| Synapse preview converts oEmbed format to Open Graph tags, downloads referred content and serves it. The process is well suited for oEmbed `photo`, `video` and `link` types. With the `"rich"` type, oEmbed `html` element is scanned for `og:` meta tags, and if specific tags are not found the content is searched for the relevant html tags that can be converted to missing `og:` tags. At the moment, `title`, `description` and `image` tags are being looked for, `video` being on the wish list. | ||
|
|
||
| This works fine when the content is public, however some content is available only for authenticated users. That content cannot be downloaded from the provider, because it needs authenticated client. One of the ways of providing such content is to embed it in `iframe` that requests authentication. For that case we need `iframe` specifics. |
There was a problem hiding this comment.
As an alternative, could you not just change client so that it can be configured to generate its own previews from certain domains directly, rather than asking the server for the preview?
There was a problem hiding this comment.
That's true, but then I'd have to reimplement oEmbed logic on the front end.
Scan oEmbed
"rich"typehtmlfor<iframe />tags and return its specifics in json.3338-preview-iframe.md
Signed-off-by: Srdjan srdjan@catalyst.net.nz
Implementation: matrix-org/synapse#10547