release: 0.14.1

.gitignore

@@ -4,3 +4,4 @@ bun.lockb
 dist
 .env
 .wrangler
+.codex

functions/api/preview.ts

@@ -2,6 +2,7 @@ type Env = Record<string, unknown>;
 
 const MAX_RESPONSE_BYTES = 512 * 1024;
 const REQUEST_TIMEOUT_MS = 5000;
+const MAX_REDIRECTS = 2;
 
 const textDecoder = new TextDecoder("utf-8");
 
@@ -35,12 +36,16 @@ const extractTitle = (html: string): string | null => {
   return text || null;
 };
 
-const toAbsoluteUrl = (value: string | null, baseUrl: string): string | null => {
+const toAbsoluteHttpUrl = (value: string | null, baseUrl: string): string | null => {
   if (!value) {
     return null;
   }
   try {
-    return new URL(value, baseUrl).toString();
+    const url = new URL(value, baseUrl);
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      return null;
+    }
+    return url.toString();
   } catch {
     return null;
   }
@@ -81,6 +86,13 @@ const isPrivateIpv4 = (host: string): boolean => {
 
 const isPrivateIpv6 = (host: string): boolean => {
   const normalized = host.toLowerCase();
+  if (normalized === "::" || normalized === "0:0:0:0:0:0:0:0") {
+    return true;
+  }
+  if (normalized.startsWith("::ffff:")) {
+    const mappedIpv4 = normalized.slice(7);
+    return isIpAddress(mappedIpv4) && isPrivateIpv4(mappedIpv4);
+  }
   return (
     normalized === "::1" ||
     normalized.startsWith("fe80:") ||
@@ -100,6 +112,84 @@ const isBlockedHostname = (hostname: string): boolean => {
   return false;
 };
 
+const isYouTubeHost = (hostname: string): boolean => {
+  const lower = hostname.toLowerCase();
+  return lower === "youtu.be" || lower === "youtube.com" || lower.endsWith(".youtube.com");
+};
+
+
+const isAllowedContentType = (contentType: string): boolean => {
+  const normalized = contentType.toLowerCase().split(";")[0]?.trim();
+  return normalized === "text/html" || normalized === "application/xhtml+xml";
+};
+
+
+const fetchWithSafeRedirects = async (
+  targetUrl: URL,
+  signal: AbortSignal,
+  redirectCount = 0
+): Promise<Response> => {
+  const response = await fetch(targetUrl.toString(), {
+    signal,
+    redirect: "manual",
+    headers: {
+      "User-Agent": "DeckLinkPreview/1.0",
+      Accept: "text/html,application/xhtml+xml"
+    }
+  });
+
+  if (response.status >= 300 && response.status < 400) {
+    if (redirectCount >= MAX_REDIRECTS) {
+      throw new Error("too_many_redirects");
+    }
+    const location = response.headers.get("location");
+    if (!location) {
+      throw new Error("invalid_redirect");
+    }
+    let redirectedUrl: URL;
+    try {
+      redirectedUrl = new URL(location, targetUrl.toString());
+    } catch {
+      throw new Error("invalid_redirect");
+    }
+    const validatedRedirectUrl = isValidHttpUrl(redirectedUrl.toString());
+    if (!validatedRedirectUrl || isBlockedHostname(validatedRedirectUrl.hostname)) {
+      throw new Error("blocked_redirect");
+    }
+    return fetchWithSafeRedirects(validatedRedirectUrl, signal, redirectCount + 1);
+  }
+
+  return response;
+};
+
+
+const fetchYouTubeOEmbed = async (targetUrl: string): Promise<{ title: string; image: string | null } | null> => {
+  try {
+    const oembedUrl = new URL("https://www.youtube.com/oembed");
+    oembedUrl.searchParams.set("url", targetUrl);
+    oembedUrl.searchParams.set("format", "json");
+    const response = await fetch(oembedUrl.toString(), {
+      headers: {
+        Accept: "application/json"
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    const data = (await response.json()) as { title?: string; thumbnail_url?: string };
+    if (!data.title) {
+      return null;
+    }
+    return {
+      title: data.title,
+      image: data.thumbnail_url ?? null
+    };
+  } catch {
+    return null;
+  }
+};
+
+
 const readResponseText = async (response: Response): Promise<string> => {
   if (!response.body) {
     return response.text();
@@ -129,67 +219,87 @@ const readResponseText = async (response: Response): Promise<string> => {
   return textDecoder.decode(combined);
 };
 
-const buildResponse = (body: Record<string, unknown>, status = 200, cacheSeconds = 600): Response => {
+const buildResponse = (
+  body: Record<string, unknown>,
+  status = 200,
+  cacheSeconds = 600,
+  allowedOrigin?: string
+): Response => {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json; charset=utf-8",
+    "Cache-Control": `public, max-age=${cacheSeconds}`,
+    "Content-Security-Policy": "default-src 'none'",
+    "Referrer-Policy": "strict-origin-when-cross-origin",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+    Vary: "Origin"
+  };
+
+  if (allowedOrigin) {
+    headers["Access-Control-Allow-Origin"] = allowedOrigin;
+  }
+
   return new Response(JSON.stringify(body), {
     status,
-    headers: {
-      "Content-Type": "application/json; charset=utf-8",
-      "Cache-Control": `public, max-age=${cacheSeconds}`,
-      "Access-Control-Allow-Origin": "*"
-    }
+    headers
   });
 };
 
 export const onRequestGet = async (context: { request: Request } & { env?: Env }) => {
   const requestUrl = new URL(context.request.url);
+  const allowedOrigin = requestUrl.origin;
   const urlParam = requestUrl.searchParams.get("url");
   if (!urlParam) {
-    return buildResponse({ error: "missing_url" }, 400, 60);
+    return buildResponse({ error: "missing_url" }, 400, 60, allowedOrigin);
   }
 
   const targetUrl = isValidHttpUrl(urlParam);
   if (!targetUrl || isBlockedHostname(targetUrl.hostname)) {
-    return buildResponse({ error: "invalid_url" }, 400, 60);
+    return buildResponse({ error: "invalid_url" }, 400, 60, allowedOrigin);
   }
 
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
 
   try {
-    const response = await fetch(targetUrl.toString(), {
-      signal: controller.signal,
-      headers: {
-        "User-Agent": "DeckLinkPreview/1.0",
-        Accept: "text/html,application/xhtml+xml"
-      }
-    });
+    const response = await fetchWithSafeRedirects(targetUrl, controller.signal);
 
     if (!response.ok) {
-      return buildResponse({ error: "fetch_failed", status: response.status }, 200, 60);
+      return buildResponse({ error: "fetch_failed", status: response.status }, 200, 60, allowedOrigin);
     }
 
     const contentType = response.headers.get("content-type") ?? "";
-    if (!contentType.includes("text/html")) {
-      return buildResponse({ error: "unsupported_content" }, 200, 300);
+    if (!isAllowedContentType(contentType)) {
+      return buildResponse({ error: "unsupported_content" }, 200, 300, allowedOrigin);
     }
 
     const html = await readResponseText(response);
     if (!html) {
-      return buildResponse({ error: "empty_body" }, 200, 60);
+      return buildResponse({ error: "empty_body" }, 200, 60, allowedOrigin);
     }
 
     const ogTitle = extractMetaTagContent(html, "property", "og:title");
     const ogDescription = extractMetaTagContent(html, "property", "og:description");
     const ogImageRaw = extractMetaTagContent(html, "property", "og:image");
     const ogUrl = extractMetaTagContent(html, "property", "og:url");
     const metaDescription = extractMetaTagContent(html, "name", "description");
-    const title = ogTitle || extractTitle(html);
+    let title = ogTitle || extractTitle(html);
     const description = ogDescription || metaDescription;
-    const image = toAbsoluteUrl(ogImageRaw, targetUrl.toString());
-    const canonicalUrl = toAbsoluteUrl(ogUrl, targetUrl.toString()) ?? targetUrl.toString();
+    let image = toAbsoluteHttpUrl(ogImageRaw, targetUrl.toString());
+    const canonicalUrl = toAbsoluteHttpUrl(ogUrl, targetUrl.toString()) ?? targetUrl.toString();
+
+    const shouldFetchYouTube = !title || title.trim() === "YouTube";
+    if (shouldFetchYouTube && isYouTubeHost(targetUrl.hostname)) {
+      const oembed = await fetchYouTubeOEmbed(targetUrl.toString());
+      if (oembed) {
+        title = title || oembed.title;
+        image = image || oembed.image;
+      }
+    }
+
 
     if (!title) {
-      return buildResponse({ error: "missing_title" }, 200, 300);
+      return buildResponse({ error: "missing_title" }, 200, 300, allowedOrigin);
     }
 
     return buildResponse(
@@ -200,13 +310,17 @@ export const onRequestGet = async (context: { request: Request } & { env?: Env }
         image: image || null
       },
       200,
-      600
+      600,
+      allowedOrigin
     );
   } catch (error) {
+    if (error instanceof Error && ["invalid_redirect", "blocked_redirect", "too_many_redirects"].includes(error.message)) {
+      return buildResponse({ error: error.message }, 200, 60, allowedOrigin);
+    }
     if (error instanceof Error && error.name === "AbortError") {
-      return buildResponse({ error: "timeout" }, 200, 60);
+      return buildResponse({ error: "timeout" }, 200, 60, allowedOrigin);
     }
-    return buildResponse({ error: "fetch_failed" }, 200, 60);
+    return buildResponse({ error: "fetch_failed" }, 200, 60, allowedOrigin);
   } finally {
     clearTimeout(timeout);
   }

index.html

@@ -6,7 +6,7 @@
     <link rel="icon" href="/src/ui/assets/textodon-icon-blue.png" type="image/png" />
     <meta
       http-equiv="Content-Security-Policy"
-      content="default-src 'self'; img-src 'self' https: data: blob:; media-src https: blob: data:; connect-src 'self' https: wss: http://localhost:8788 http://127.0.0.1:8788; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; font-src 'self' https://cdn.jsdelivr.net data:; script-src 'self';"
+      content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' https: data: blob:; media-src 'self' https: blob: data:; font-src 'self' https://cdn.jsdelivr.net data:; connect-src 'self' https: wss:; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob:;"
     />
     <meta property="og:title" content="Deck" />
     <meta property="og:description" content="오픈소스 페디버스 클라이언트" />

package.json

@@ -6,24 +6,31 @@
   "scripts": {
     "dev": "vite",
     "build": "vite build",
+    "dev:preview": "bun run build && bunx wrangler pages dev dist",
     "preview": "vite preview",
     "test": "bun test",
     "test:watch": "bun test --watch"
   },
   "dependencies": {
-    "dompurify": "^3.3.1",
+    "dompurify": "^3.3.2",
     "emoji-datasource": "^16.0.0",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
-    "wrangler": "3.90.0"
+    "wrangler": "^4.78.0"
   },
   "devDependencies": {
-    "@types/dompurify": "^3.2.0",
     "@types/react": "^18.3.3",
     "@types/react-dom": "^18.3.0",
-    "@vitejs/plugin-react": "^4.3.1",
+    "@vitejs/plugin-react": "^6.0.1",
+    "bun-types": "^1.3.11",
+    "esbuild": "^0.25.5",
+    "picomatch": "^4.0.4",
+    "rollup": "^4.59.0",
     "typescript": "^5.5.4",
-    "vite": "^5.4.0",
-    "vite-plugin-svgr": "^4.5.0"
+    "vite": "^8.0.3",
+    "vite-plugin-svgr": "^5.0.0"
+  },
+  "overrides": {
+    "picomatch": "^4.0.4"
   }
 }

public/_headers

@@ -0,0 +1,5 @@
+/*
+  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' https: data: blob:; media-src 'self' https: blob: data:; font-src 'self' https://cdn.jsdelivr.net data:; connect-src 'self' https: wss:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; worker-src 'self' blob:
+  X-Content-Type-Options: nosniff
+  X-Frame-Options: DENY
+  Referrer-Policy: strict-origin-when-cross-origin