-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC3338: Adding iframe specifics to preview json #3338
base: old_master
Are you sure you want to change the base?
Conversation
## Security considerations | ||
|
||
There is always cause for concern when displaying foreign content. However, preview resource is linking to the foreign content and displaying it already. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, we try to avoid sending clients to third-party URLs, as that can be a privacy issue -- it will reveal the user's IP address, user agent, etc. to the server operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do understand that, that's why the content is downloaded. However this is an opposite situation - we need/deliberately want to identify ourselves to the other party. I've addressed that in some more detail in the new version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am I understanding correctly that this proposal is to allow an iframe to be returned to a client in response to a URL preview request?
AFAIK the current behavior in Synapse at least is for the server to act as a sort of proxy for the client for URL previews. If the server returned an iframe to the client in response to a URL preview request, it would expose the client directly to a third party server. This seems like a significant change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. My argument is that the list of the third parties is configurable. And being clearly marked as an url, client may have a mechanism to choose not to display it. This is for the situations where proxying is not possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible for someone to tell me please what is required for oembed with iframe tag to be considered, or a definitive no regardless of the reasons.
I really cannot comment on general usefulness of the feature, I can only say that we are using Synapse/Element company wide and we cannot fully integrate with other systems, which hurts. I cannot imagine that we are the only ones that are using oembed with iframes.
Thanks.
I hope the new version provides a bit more exciting reading. |
|
||
Synapse preview converts oEmbed format to Open Graph tags, downloads referred content and serves it. The process is well suited for oEmbed `photo`, `video` and `link` types. With the `"rich"` type, oEmbed `html` element is scanned for `og:` meta tags, and if specific tags are not found the content is searched for the relevant html tags that can be converted to missing `og:` tags. At the moment, `title`, `description` and `image` tags are being looked for, `video` being on the wish list. | ||
|
||
This works fine when the content is public, however some content is available only for authenticated users. That content cannot be downloaded from the provider, because it needs authenticated client. One of the ways of providing such content is to embed it in `iframe` that requests authentication. For that case we need `iframe` specifics. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As an alternative, could you not just change client so that it can be configured to generate its own previews from certain domains directly, rather than asking the server for the preview?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's true, but then I'd have to reimplement oEmbed logic on the front end.
Scan oEmbed
"rich"
typehtml
for<iframe />
tags and return its specifics in json.3338-preview-iframe.md
Signed-off-by: Srdjan srdjan@catalyst.net.nz
Implementation: matrix-org/synapse#10547