oEmbed
oEmbed is a format for allowing an embedded representation of a URL on third party sites. The simple API allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly.
Table Of Contents
Full Spec Security considerations Discovery More examples Authors Implementations 1. Quick Example
A consumer (eg. Pownce) makes the following HTTP request:
http://www.flickr.com/services/oembed/?url=http%3A//www.flickr.com/photos/bees/2341623661/
The provider (eg. Flickr) then responds with an oEmbed response:
{ "version": "1.0", "type": "photo", "width": 240, "height": 160, "title": "ZB8T0193", "url": "http://farm4.static.flickr.com/3123/2341623661_7c99f48bbf_m.jpg", "author_name": "Bees", "author_url": "http://www.flickr.com/photos/bees/", "provider_name": "Flickr", "provider_url": "http://www.flickr.com/" }This allows the consumer to turn a URL to a Flickr photo page into structured data to allow embedding of that photo in the consumer's website.
2. Full Spec
This spec is broken into three parts - configuration, the consumer request and the provider response.
An oEmbed exchange occurs between a consumer and a provider. A consumer wishes to show an embedded representation of a third party resource on their own web site, such as a photo or an embedded video. A provider implements the oEmbed API to allow consumers to fetch that representation.
2.1. Configuration
Configuration for oEmbed is very simple. Providers must specify one or more URL scheme and API endpoint pairs. The URL scheme describes which URLs provided by the service may have an embedded representation. The API endpoint describes where the consumer may request representations for those URLs.
For instance:
- URL scheme:
http://www.flickr.com/photos/*
- API endpoint:
http://www.flickr.com/services/oembed/
The URL scheme may contain one or more wildcards (specified with an asterisk). Wildcards may be present in the domain portion of the URL, or in the path. Within the domain portion, wildcards may only be used for subdomains. Wildcards may not be used in the scheme (to support HTTP and HTTPS, provide two url/endpoint pairs).
Some examples:
http://www.flickr.com/photos/*
OKhttp://www.flickr.com/photos/*/foo/
OKhttp://*.flickr.com/photos/*
OKhttp://*.com/photos/*
NOT OK*://www.flickr.com/photos/*
NOT OKThe API endpoint must point to an HTTP endpoint URL (not HTTPS) which implements the API described below.
2.2. Consumer Request
Requests sent to the API endpoint must be HTTP GET requests, with all arguments sent as query parameters. All arguments must be urlencoded (as per RFC 1738).
The following query parameters are defined as part of the spec:
url
(required)- The URL to retrieve embedding information for.
maxwidth
(optional)- The maximum width of the embedded resource. Only applies to some resource types (as specified below). For supported resource types, this parameter must be respected by providers.
maxheight
(optional)- The maximum height of the embedded resource. Only applies to some resource types (as specified below). For supported resource types, this parameter must be respected by providers.
format
(optional)- The required response format. When not specified, the provider can return any valid response format. When specified, the provider must return data in the request format, else return an error (see below for error codes).
Providers should ignore all other arguments it doesn't expect. Providers are welcome to support custom additional parameters.
Some examples:
http://flickr.com/services/oembed?url=http%3A//flickr.com/photos/bees/2362225867/
http://flickr.com/services/oembed?url=http%3A//flickr.com/photos/bees/2362225867/&maxwidth=300&maxheight=400&format=json
Note: Providers may choose to have the format specified as part of the endpoint URL itself, rather than as a query string parameter.
For instance:
- URL scheme:
http://www.flickr.com/photos/*
- API XML endpoint:
http://www.flickr.com/services/oembed.xml
- API JSON endpoint:
http://www.flickr.com/services/oembed.json
In this case, the format parameter is not needed and will be ignored. When a provider publishes a URL scheme and API endpoint pair, they should clearly state whether the format is implicit in the endpoint or if it needs to be passed as an argument.
2.3. Provider Response
The response returned by the provider can be in either JSON or XML. Each format specifies a way of encoding name-value pairs which comprise the response data. Each format has an associated mime-type which must be returned in the
Content-type
header along with the response.2.3.1. JSON response
JSON responses must contain well formed JSON and must use the mime-type of
application/json
. The JSON response format may be requested by the consumer by specifying aformat
ofjson
.For example:
{ "foo": "bar", "baz": 1 }The key-value pairs to be returned are specified below. All text must be UTF-8 encoded.
2.3.2. XML response
XML responses must use the mime-type of
text/xml
. The XML response format may be requested by the consumer by specifying aformat
ofxml
. The response body must contain well formed XML with a root element calledoembed
and child elements for each key containing the value within the element body. For example:<?xml version="1.0" encoding="utf-8" standalone="yes"?> <oembed> <foo>bar</foo> <baz>1</baz> </oembed>The key-value pairs to be returned are specified below. All text must be UTF-8 encoded. Values should be escaped PCDATA. For example:
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <oembed> <html><b>awesome!</b></html> </oembed>2.3.4. Response parameters
Responses can specify a resource type, such as
photo
orvideo
. Each type has specific parameters associated with it. The following response parameters are valid for all response types:
type
(required)- The resource type. Valid values, along with value-specific parameters, are described below.
version
(required)- The oEmbed version number. This must be
1.0
.title
(optional)- A text title, describing the resource.
author_name
(optional)- The name of the author/owner of the resource.
author_url
(optional)- A URL for the author/owner of the resource.
provider_name
(optional)- The name of the resource provider.
provider_url
(optional)- The url of the resource provider.
cache_age
(optional)- The suggested cache lifetime for this resource, in seconds. Consumers may choose to use this value or not.
thumbnail_url
(optional)- A URL to a thumbnail image representing the resource. The thumbnail must respect any
maxwidth
andmaxheight
parameters. If this paramater is present,thumbnail_width
andthumbnail_height
must also be present.thumbnail_width
(optional)- The width of the optional thumbnail. If this paramater is present,
thumbnail_url
andthumbnail_height
must also be present.thumbnail_height
(optional)- The height of the optional thumbnail. If this paramater is present,
thumbnail_url
andthumbnail_width
must also be present.Providers may optionally include any parameters not specified in this document (so long as they use the same key-value format) and consumers may choose to ignore these. Consumers must ignore parameters they do not understand.
2.3.4.1. The
photo
typeThis type is used for representing static photos. The following parameters are defined:
url
(required)- The source URL of the image. Consumers should be able to insert this URL into an
<img>
element. Only HTTP and HTTPS URLs are valid.width
(required)- The width in pixels of the image specified in the
url
parameter.height
(required)- The height in pixels of the image specified in the
url
parameter.Responses of this type must obey the
maxwidth
andmaxheight
request parameters.2.3.4.2. The
video
typeThis type is used for representing playable videos. The following parameters are defined:
html
(required)- The HTML required to embed a video player. The HTML should have no padding or margins. Consumers may wish to load the HTML in an off-domain iframe to avoid XSS vulnerabilities.
width
(required)- The width in pixels required to display the HTML.
height
(required)- The height in pixels required to display the HTML.
Responses of this type must obey the
maxwidth
andmaxheight
request parameters. If a provider wishes the consumer to just provide a thumbnail, rather than an embeddable player, they should instead return aphoto
response type.2.3.4.3. The
link
typeResponses of this type allow a provider to return any generic embed data (such as
title
andauthor_name
), without providing either the url or html parameters. The consumer may then link to the resource, using the URL specified in the original request.2.3.4.4. The
rich
typeThis type is used for rich HTML content that does not fall under one of the other categories. The following parameters are defined:
html
(required)- The HTML required to display the resource. The HTML should have no padding or margins. Consumers may wish to load the HTML in an off-domain iframe to avoid XSS vulnerabilities. The markup should be valid XHTML 1.0 Basic.
width
(required)- The width in pixels required to display the HTML.
height
(required)- The height in pixels required to display the HTML.
Responses of this type must obey the
maxwidth
andmaxheight
request parameters.2.3.5. Errors
Providers should return any error conditions as HTTP status codes. The following status codes are defined as part of the oEmbed specification:
404 Not Found
- The provider has no response for the requested
url
parameter. This allows providers to be broad in their URL scheme, and then determine at call time if they have a representation to return.501 Not Implemented
- The provider cannot return a response in the requested format. This should be sent when (for example) the request includes
format=xml
and the provider doesn't support XML responses. However, providers are encouraged to support both JSON and XML.401 Unauthorized
- The specified URL contains a private (non-public) resource. The consumer should provide a link directly to the resource instead of any embedding any extra information, and rely on the provider to provide access control.
3. Security considerations
When a consumer displays any URLs, they will probably want to filter the URL scheme to be one of
http
,https
ormailto
, although providers are free to specify any valid URL. Without filtering,Javascript:...
style URLs could be used for XSS attacks.When a consumer displays HTML (as with video embeds), there's a vector for XSS attacks from the provider. To avoid this, it is recommended that consumers display the HTML in an
iframe
, hosted from another domain. This ensures that the HTML cannot access cookies from the consumer domain.4. Discovery
oEmbed providers can choose to make their oEmbed support discoverable by adding elements to the head of their existing (X)HTML documents.
For example:
<link rel="alternate" type="application/json+oembed" href="http://flickr.com/services/oembed?url=http%3A//flickr.com/photos/bees/2362225867/&format=json" title="Bacon Lollys oEmbed Profile" /> <link rel="alternate" type="text/xml+oembed" href="http://flickr.com/services/oembed?url=http%3A//flickr.com/photos/bees/2362225867/&format=xml" title="Bacon Lollys oEmbed Profile" />The URLs contained within the
href
attribute should be the full oEmebed endpoint plus URL and any needed format parameter. No other request parameters should be included in this URL.The
type
attribute must contain eitherapplication/json+oembed
for JSON responses, ortext/xml+oembed
for XML.5. More examples
5.1. Video example
Request:
http://www.youtube.com/oembed?url=http%3A//youtube.com/watch%3Fv%3DM3r2XDceM6A&format=jsonResponse:
{ "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "Qik blog
The object of this blog began as a display of a varied amount of writings, scribblings and rantings that can be easily analysed by technology today to present the users with a clearer picture of the state of their minds, based on tests run on their input and their uses of the technology we are advocating with www.projectbrainsaver.com
Monday, 6 June 2011
oEmbed
via oembed.com
Flickr - projectbrainsaver
www.flickr.com
|