no shared audio and video embedding

[mcnesium]

So since #2523 and resulting #6599 we can embed link-shared images into external web sites, which is awesome 👍

I wonder, why this …/preview URL is only available for images, but not for audio and video files, or any other file type. Any clues?

[MorrisJobke]

I wonder, why this …/preview URL is only available for images, but not for audio and video files, or any other file type. Any clues?

Because we need to re-encode the content otherwise attackers could inject malicious code and it then looks like the nextcloud server itself is the source of that code. Usually this is fixed by other services by serving user content from a different domain, but as we don't have this in Nextcloud and we serve everything from one domain it would be easier for attackers to server malicious files and do further attacks.

That's also the reason, why the real untouched files are always downloaded and never shown inline, because this is the only way to work around this attack beside re-encoding.

[MorrisJobke]

@rullzer @nickvergessen Correct me if I'm wrong.

[rullzer]

That is correct!

[mcnesium]

sounds reasonable 🤔

[GAS85]

Just to make it clear:
To embed content to e.g. forum, use shared link with download at the end:

https://domain.com/s/b37j9Lxi9LkR4ft/download

or in case of shared folder you need to embed one particular file

https://domain.com/s/b37j9Lxi9LkR4ft/download?path=/&files=000001.jpg

There is no need to make direct link on previews.