Requset to add `player(dot)bilibili(dot)com` and `bilibili(dot)com` to iframe whitelist

DIYgod · November 27, 2019, 6:58am

Hi,

Thanks for your awesome project.

I requset to add player(dot)bilibili(dot)com and bilibili(dot)com to iframe whitelist in functions.php, bilibili(dot)com is a very popular video website in China, and I made a lot of RSS for it, for example: rsshub(dot)app/bilibili/ranking/0/7

But I found TT-RSS will add sandbox="allow-scripts" on bilibili embedded video, preventting embedded video loading, so I request to add player(dot)bilibili(dot)com and bilibili(dot)com to iframe whitelist in functions.php

I can make a pull request for it if you allow me, my username is DIYgod.

Thanks,
DIYgod

fox · November 27, 2019, 7:36am

I’m sorry but I’m not going to add any more websites to the built-in whitelist. Youtube is there because of how absolutely dominating it is (for better or for worse) worldwide so not supporting it would be simply stupid. Not sure about vimeo, it probably should be removed.

You can consider it an unfair exception if you want to (which it is), but that won’t change anything.

The proper way to whitelist any other websites is by writing a plugin. If you run into trouble with that, we’ll help.

Also,

I can already see hacker news / techcrunch / whatever other tabloid headlines:

TT-RSS allows unsandboxed script access to a CHINESE website in stock configuration. Your privacy is at stake!

Think about your proposal from this angle for a second. Not that this website being from any other country would change anything.

e: if anything the whitelist should be removed altogether.

shabble · November 27, 2019, 7:44am

There. That’s more click-baitey for ya.

fox · November 27, 2019, 7:54am

lmao

20charrrrrr rrrrr

DIYgod · November 27, 2019, 8:02am

Thanks for your reply, in face, I already try to write a plugin for it, but I don’t know php much, and I meet a strange problem: the plugin works well on my TTRSS website, but doesn’t work with fever api

my iframe plugin: github(dot)com/DIYgod/ttrss-plugin-remove-iframe-sandbox

fever plugin: github(dot)com/HenryQW/tinytinyrss-fever-plugin

I put my removing sandbox logic in hook_sanitize, and fever plugin get RSS content via sanitize function, I don’t know why sandbox is not removed in fever plugin.

fox · November 27, 2019, 8:41am

I don’t use fever plugin so I can’t help you there. No idea how that plugin works but it may not be loading plugins properly. Maybe enabling your plugin in config.php would help.

Anyway, this whole thing got me thinking and I don’t see any point in youtube being on whitelist by default. So, I’m going to do the following:

iframe whitelist itself is staying but empty by default
I’ll add a separate hook to easily add stuff to the whitelist so people won’t have to deal with sandbox hook and copy-paste xpath code etc so making plugins to enable particular video websites is easier.

DIYgod · November 27, 2019, 8:47am

Thanks, it will be very helpful!

DIYgod · November 27, 2019, 8:49am

Maybe allowing users to set whitelist in prefs.php is a better way?

fox · November 27, 2019, 8:51am

someone can make a configurable whitelist plugin, in core though i would prefer to just keep things simple if possible.

e: https://git.tt-rss.org/fox/tt-rss/commit/d15f0349bf1671d3b3704f728372b7fb3f4045bd

dxbi · December 3, 2019, 7:44am

Many many moons ago, I wrote github(dot)com/tribut/ttrss-videoframes (using the sanitize hook). I never got around to adding user configuration though. That said, if you open a PR or issue with an example feed for bilibili, I’ll certainly add it.