jeremy.herve.bzh / skypress
A calm place to write long-form, and publish it to the open social web. skypress.blog/
0
Fork 0

Configure Feed

Select the types of activity you want to include in your feed.

Embeds: trusted playback URL builder + validator

author
Jeremy Herve date (Jun 19, 2026, 5:12 PM +0200) commit bf290d66 parent 31444bda
+55
+31
src/lib/embeds/playback.test.ts
··· 1 + // src/lib/embeds/playback.test.ts 2 + import { describe, expect, it } from 'vitest'; 3 + import { playbackUrl, isTrustedPlaybackUrl } from './playback'; 4 + 5 + describe( 'playbackUrl', () => { 6 + it( 'builds privacy-friendly youtube + vimeo URLs', () => { 7 + expect( playbackUrl( 'youtube', 'dQw4w9WgXcQ' ) ).toBe( 8 + 'https://www.youtube-nocookie.com/embed/dQw4w9WgXcQ?autoplay=1' 9 + ); 10 + expect( playbackUrl( 'vimeo', '123456789' ) ).toBe( 11 + 'https://player.vimeo.com/video/123456789?autoplay=1' 12 + ); 13 + } ); 14 + 15 + it( 'URL-encodes the id', () => { 16 + expect( playbackUrl( 'youtube', 'a/b?c' ) ).toContain( '/embed/a%2Fb%3Fc?' ); 17 + } ); 18 + } ); 19 + 20 + describe( 'isTrustedPlaybackUrl', () => { 21 + it( 'accepts only the two playback hosts', () => { 22 + expect( isTrustedPlaybackUrl( 'https://www.youtube-nocookie.com/embed/x?autoplay=1' ) ).toBe( true ); 23 + expect( isTrustedPlaybackUrl( 'https://player.vimeo.com/video/1?autoplay=1' ) ).toBe( true ); 24 + } ); 25 + 26 + it( 'rejects anything else', () => { 27 + expect( isTrustedPlaybackUrl( 'https://evil.com/embed/x' ) ).toBe( false ); 28 + expect( isTrustedPlaybackUrl( 'https://www.youtube-nocookie.com.evil.com/embed/x' ) ).toBe( false ); 29 + expect( isTrustedPlaybackUrl( 'javascript:alert(1)' ) ).toBe( false ); 30 + } ); 31 + } );
+24
src/lib/embeds/playback.ts
··· 1 + // src/lib/embeds/playback.ts 2 + /** 3 + * The trusted video playback hosts and the URLs the reader facade is allowed to 4 + * load. Kept tiny and host-exact: the facade script reconstructs the iframe `src` 5 + * from provider + id (never a raw URL from the document) and re-validates it with 6 + * `isTrustedPlaybackUrl` before insertion (AGENTS.md rule 6). Dependency-free. 7 + */ 8 + const PLAYBACK_HOSTS = [ 'www.youtube-nocookie.com', 'player.vimeo.com' ]; 9 + 10 + export function playbackUrl( provider: 'youtube' | 'vimeo', id: string ): string { 11 + const safeId = encodeURIComponent( id ); 12 + return provider === 'youtube' 13 + ? `https://www.youtube-nocookie.com/embed/${ safeId }?autoplay=1` 14 + : `https://player.vimeo.com/video/${ safeId }?autoplay=1`; 15 + } 16 + 17 + export function isTrustedPlaybackUrl( url: string ): boolean { 18 + try { 19 + const parsed = new URL( url ); 20 + return parsed.protocol === 'https:' && PLAYBACK_HOSTS.includes( parsed.hostname ); 21 + } catch { 22 + return false; 23 + } 24 + }