Page MenuHomeMiraheze

Closed, ResolvedPublic


GitHub repo:

Hi there, I am one of the maintainer of the forked version of Extension:EmbedVideo.

I realized that the original extension has been requested multiple times on Miraheze but was declined due to security reasons in the past. While I am not familiar with the exact reasons that the old extension was declined, I will try my best to meet any necessary requirements from Miraheze for security review.

We forked Extension:EmbedVideo because it was unmaintained like most Fandom extensions. The forked version is refactored and includes numerous security and privacy improvements.
For example, the iframe would only be loaded when user gave consent by clicking the load button, so there would be no external connection until interacted. It also supports the native MediaWiki CSP so the required CSP rule would be added on the page that requires them. There are also support for local media, similar to Extension:TimedMediaHandler. A whitelist is also added so wiki can choose to only enable a selection of services.

However, because of the extensive rewrite, a lot of previously supported services were removed. The current support services include, SoundCloud, Spotify, Twitch, Vimeo, and YouTube. More can be added in the future if needed but it is less than what the original extension support. The original parser functions are simplified into only one as well.

It is deployed on multiple production wiki, here's an example page on a YouTube embed.

Event Timeline

Unknown Object (User) claimed this task.Jun 27 2021, 00:32
Unknown Object (User) moved this task from Backlog to Security Review Needed on the Extensions board.Jun 27 2021, 02:43
Unknown Object (User) moved this task from Backlog to Short Term on the MediaWiki (SRE) board.
Unknown Object (User) moved this task from Unsorted to Short Term on the Universal Omega board.

I did one patch to this myself to cleanup a hook, nothing major. This extension does seem much safer then the original, therefore... approved.

Unknown Object (User) reassigned this task from Unknown Object (User) to Redmin.Jun 28 2021, 01:37
Unknown Object (User) added a subscriber: Redmin.

Assigning to @R4356th for submitting PRs to install per discussion on Discord.

Unknown Object (User) claimed this task.Jun 30 2021, 00:22

Claiming to install the mw-config portion shortly. @R4356th did the submodule

Unknown Object (User) closed this task as Resolved.Jul 19 2021, 23:40