- Followup to 1.1.3: also hardcode the YouTube oembed endpoint for sharing URLs (
youtu.be).
- Hardcode the well-known YouTube oembed endpoint. While YouTube still does output oembed metadata, today many users saw broken videos due to broken canonical tags on YouTube pages (
link rel="undefined"), which hampered discovery. Also this heavily used service will benefit from one less request per video.
- Removes
pathregex check on the vimeo endpoint to allow urls with and without/video.
- Hardcode the oembed endpoint for vimeo, which stopped offering oembed metadata on pages.
- Switched to
fast-xml-parser, eliminating installation warnings aboutxml2js.
- Switched to
node-fetch, eliminating installation warnings about the unsupportedrequestmodule. - Switched to mocha 10.x, eliminating another set of installation warnings.
- Internal implementation of
oembed.jsnow usesasync/awaitfor better maintainability.
- Updates
cheerioto the 1.0.0-rc version series to address a security vulnerability.
renamed the whitelist and suggestedWhitelist properties to allowlist and suggestedAllowlist, respectively. Also introduced support for options.headers.
workaround for YouTube bug in which video pages contain http: recommendations for oembed URLs, but an http: request is rejected with a 403 error. Force https: for YouTube.
fixed URL parsing bugs impacting use of preconfigured endpoints that already contain some query string parameters.
Updated links and information in the README.
fixed a nuisance error that was appearing when Facebook was present but window was not the default object.
unnecessary Facebook API logic was running on non-Facebook embeds due to a syntax mistake in 0.1.17.
report HTTP errors properly rather than attempting to parse a nonexistent JSON body. Also, always try/catch when parsing JSON and report the exception as the callback error if necessary.
Facebook oembed filter works regardless of whether Facebook's API has been initialized yet or not.
Built in filter that handles Facebook oembed responses.
allowlisted facebook.com, which has extensive oembed these days.
bumped cheerio dependency to fix deprecation warnings. No behavior changes.
relative URLs work with discovery. Thanks to Alejandro Torrado.
(unchanged, npm publishing issue)
don't crash when evaluating allowlists if parsed.hostname somehow manages not to be set.
user agent string to please Facebook. Thanks to equinox7.
the new endpoints option allows you to configure custom oembed API endpoints for services that don't advertise an endpoint or advertise it incorrectly.
support SoundCloud. Added it to the suggested allowlist and added tolerance for their incorrect JSON content type.
security improvement:
reject all URLs that are not http: or https: completely, right up front. This means you don't have to protect against these obvious hacks in your before and after handlers.
packaging issues, no changes.
if the URL leads to a page with no oembed metadata, look for a link rel="canonical" tag and try that URL instead. Don't pursue this more than one step.
Also, specify a user agent so that certain hosts don't give us watered-down HTML.
added youtu.be to the suggested allowlist.