A calm place to write long-form, and publish it to the open social web.
skypress.blog/
1// src/lib/embeds/playback.ts
2/**
3 * The trusted video playback hosts and the URLs the reader facade is allowed to
4 * load. Kept tiny and host-exact: the facade script reconstructs the iframe `src`
5 * from provider + id (never a raw URL from the document) and re-validates it with
6 * `isTrustedPlaybackUrl` before insertion (AGENTS.md rule 6). Dependency-free.
7 */
8const PLAYBACK_HOSTS = [ 'www.youtube-nocookie.com', 'player.vimeo.com' ];
9
10export function playbackUrl( provider: 'youtube' | 'vimeo', id: string ): string {
11 const safeId = encodeURIComponent( id );
12 return provider === 'youtube'
13 ? `https://www.youtube-nocookie.com/embed/${ safeId }?autoplay=1`
14 : `https://player.vimeo.com/video/${ safeId }?autoplay=1`;
15}
16
17export function isTrustedPlaybackUrl( url: string ): boolean {
18 try {
19 const parsed = new URL( url );
20 return parsed.protocol === 'https:' && PLAYBACK_HOSTS.includes( parsed.hostname );
21 } catch {
22 return false;
23 }
24}