Changes to how custom embeds work

2015-06-29 18:32:18 -07:00 · 2015-06-29 18:32:18 -07:00 · b34ea01c3d
commit b34ea01c3d
parent 92d5375950
7 changed files with 141 additions and 75 deletions
--- a/player/custom-embed.coffee
+++ b/player/custom-embed.coffee
@ -1,17 +1,8 @@
-DEFAULT_ERROR = 'You are currently connected via HTTPS but the embedded content
-    uses non-secure plain HTTP.  Your browser therefore blocks it from
-    loading due to mixed content policy.  To fix this, embed the video using a
-    secure link if available (https://...), or load this page over plain HTTP by
-    replacing "https://" with "http://" in the address bar (your websocket will
-    still be secured using HTTPS, but this will permit non-secure content to load).'
+CUSTOM_EMBED_WARNING = 'This channel is embedding custom content from %link%.
+    Since this content is not trusted, you must click "Embed" below to allow
+    the content to be embedded.<hr>'

-genParam = (name, value) ->
-    $('<param/>').attr(
-        name: name
-        value: value
-    )
-
-window.CustomEmbedPlayer = class CustomEmbedPlayer extends Player
+window.CustomEmbedPlayer = class CustomEmbedPlayer extends EmbedPlayer
    constructor: (data) ->
        if not (this instanceof CustomEmbedPlayer)
            return new CustomEmbedPlayer(data)
@ -19,45 +10,19 @@ window.CustomEmbedPlayer = class CustomEmbedPlayer extends Player
        @load(data)

    load: (data) ->
-        embed = data.meta.embed
-        if not embed?
+        if not data.meta.embed?
            console.error('CustomEmbedPlayer::load(): missing meta.embed')
            return

-        if embed.tag == 'object'
-            @player = @loadObject(embed)
-        else
-            @player = @loadIframe(embed)
-
-        removeOld(@player)
-
-    loadObject: (embed) ->
-        object = $('<object/>').attr(
-            type: 'application/x-shockwave-flash'
-            data: embed.src
-        )
-        genParam('allowfullscreen', 'true').appendTo(object)
-        genParam('allowscriptaccess', 'always').appendTo(object)
-
-        for key, value of embed.params
-            genParam(key, value).appendTo(object)
-
-        return object
-
-    loadIframe: (embed) ->
-        if embed.src.indexOf('http:') == 0 and location.protocol == 'https:'
-            if embed.mixedContentError?
-                error = embed.mixedContentError
-            else
-                error = DEFAULT_ERROR
-            alert = makeAlert('Mixed Content Error', error, 'alert-danger')
-                .removeClass('col-md-12')
-            alert.find('.close').remove()
-            return alert
-        else
-            iframe = $('<iframe/>').attr(
-                src: embed.src
-                frameborder: '0'
+        embedSrc = data.meta.embed.src
+        link = "<a href=\"#{embedSrc}\" target=\"_blank\"><strong>#{embedSrc}</strong></a>"
+        alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link),
+            'alert-warning')
+            .removeClass('col-md-12')
+        $('<button/>').addClass('btn btn-default')
+            .text('Embed')
+            .click(=>
+                super(data)
            )
-
-            return iframe
+            .appendTo(alert.find('.alert'))
+        removeOld(alert)
--- a/player/embed.coffee
+++ b/player/embed.coffee
@ -0,0 +1,65 @@
+DEFAULT_ERROR = 'You are currently connected via HTTPS but the embedded content
+    uses non-secure plain HTTP.  Your browser therefore blocks it from
+    loading due to mixed content policy.  To fix this, embed the video using a
+    secure link if available (https://...), or load this page over plain HTTP by
+    replacing "https://" with "http://" in the address bar (your websocket will
+    still be secured using HTTPS, but this will permit non-secure content to load).'
+
+genParam = (name, value) ->
+    $('<param/>').attr(
+        name: name
+        value: value
+    )
+
+window.EmbedPlayer = class EmbedPlayer extends Player
+    constructor: (data) ->
+        if not (this instanceof EmbedPlayer)
+            return new EmbedPlayer(data)
+
+        @load(data)
+
+    load: (data) ->
+        @setMediaProperties(data)
+
+        embed = data.meta.embed
+        if not embed?
+            console.error('EmbedPlayer::load(): missing meta.embed')
+            return
+
+        if embed.tag == 'object'
+            @player = @loadObject(embed)
+        else
+            @player = @loadIframe(embed)
+
+        removeOld(@player)
+
+    loadObject: (embed) ->
+        object = $('<object/>').attr(
+            type: 'application/x-shockwave-flash'
+            data: embed.src
+        )
+        genParam('allowfullscreen', 'true').appendTo(object)
+        genParam('allowscriptaccess', 'always').appendTo(object)
+
+        for key, value of embed.params
+            genParam(key, value).appendTo(object)
+
+        return object
+
+    loadIframe: (embed) ->
+        if embed.src.indexOf('http:') == 0 and location.protocol == 'https:'
+            if @__proto__.mixedContentError?
+                error = @__proto__.mixedContentError
+            else
+                error = DEFAULT_ERROR
+            alert = makeAlert('Mixed Content Error', error, 'alert-danger')
+                .removeClass('col-md-12')
+            alert.find('.close').remove()
+            return alert
+        else
+            iframe = $('<iframe/>').attr(
+                src: embed.src
+                frameborder: '0'
+            )
+
+            return iframe
--- a/player/hitbox.coffee
+++ b/player/hitbox.coffee
@ -5,7 +5,7 @@ HITBOX_ERROR = 'Hitbox.tv only serves its content over plain HTTP, but you are
    bar)-- your websocket will still be connected using secure HTTPS.  This is
    something I have asked Hitbox to fix but they have not done so yet.'

-window.HitboxPlayer = class HitboxPlayer extends CustomEmbedPlayer
+window.HitboxPlayer = class HitboxPlayer extends EmbedPlayer
    constructor: (data) ->
        if not (this instanceof HitboxPlayer)
            return new HitboxPlayer(data)
@ -16,5 +16,6 @@ window.HitboxPlayer = class HitboxPlayer extends CustomEmbedPlayer
        data.meta.embed =
            src: "http://hitbox.tv/embed/#{data.id}"
            tag: 'iframe'
-            mixedContentError: HITBOX_ERROR
        super(data)
+
+    mixedContentError: HITBOX_ERROR
--- a/player/imgur.coffee
+++ b/player/imgur.coffee
@ -1,4 +1,4 @@
-window.ImgurPlayer = class ImgurPlayer extends CustomEmbedPlayer
+window.ImgurPlayer = class ImgurPlayer extends EmbedPlayer
    constructor: (data) ->
        if not (this instanceof ImgurPlayer)
            return new ImgurPlayer(data)
--- a/player/rtmp.coffee
+++ b/player/rtmp.coffee
@ -2,7 +2,7 @@ window.rtmpEventHandler = (id, event, data) ->
    if event == 'volumechange'
        PLAYER.volume = if data.muted then 0 else data.volume

-window.RTMPPlayer = class RTMPPlayer extends CustomEmbedPlayer
+window.RTMPPlayer = class RTMPPlayer extends EmbedPlayer
    constructor: (data) ->
        if not (this instanceof RTMPPlayer)
            return new RTMPPlayer(data)
--- a/player/ustream.coffee
+++ b/player/ustream.coffee
@ -1,4 +1,4 @@
-window.UstreamPlayer = class UstreamPlayer extends CustomEmbedPlayer
+window.UstreamPlayer = class UstreamPlayer extends EmbedPlayer
    constructor: (data) ->
        if not (this instanceof UstreamPlayer)
            return new UstreamPlayer(data)