steveruizok/embeds.ts

## embeds.ts
type EmbedDefinition = {
	type: string
	title: string
	hostnames: string[]
	minWidth?: number
	minHeight?: number
	width: number
	height: number
	doesResize: boolean
	isAspectRatioLocked?: boolean
	// See file below
	overridePermissions?: TLEmbedShapePermissions
	// Some embeds have their own border radius for example spotify embeds
	overrideOutlineRadius?: number
	// Convert from a regular embed URL to an embed URL (e.g. `https://site.com/${id}` to `https://site.com/embed/${id}`)
	toEmbedUrl: (url: string) => string | undefined
	// Convert from a an embed URL to a regular URL (e.g. `https://site.com/embed/${id} to `https://site.com/${id}``)
	fromEmbedUrl: (url: string) => string | undefined
}

export const EMBED_DEFINITIONS: EmbedDefinition[] = [
	{
		type: 'tldraw',
		title: 'tldraw',
		hostnames: ['beta.tldraw.com', 'lite.tldraw.com'],
		minWidth: 300,
		minHeight: 300,
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(TLDRAW_APP_RE)) {
				return url
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(TLDRAW_APP_RE)) {
				return url
			}
			return
		},
	},
	{
		type: 'codesandbox',
		title: 'CodeSandbox',
		hostnames: ['codesandbox.io'],
		minWidth: 300,
		minHeight: 300,
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			const matches = urlObj && urlObj.pathname.match(/\/s\/([^/]+)\/?/)
			if (matches) {
				return `https://codesandbox.io/embed/${matches[1]}`
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			const matches = urlObj && urlObj.pathname.match(/\/embed\/([^/]+)\/?/)
			if (matches) {
				return `https://codesandbox.io/s/${matches[1]}`
			}
			return
		},
	},
	{
		type: 'codepen',
		title: 'Codepen',
		hostnames: ['codepen.io'],
		minWidth: 300,
		minHeight: 300,
		width: 520,
		height: 400,
		doesResize: true,
		toEmbedUrl: (url) => {
			const CODEPEN_URL_REGEXP = /https:\/\/codepen.io\/([^/]+)\/pen\/([^/]+)/
			const matches = url.match(CODEPEN_URL_REGEXP)
			if (matches) {
				const [_, user, id] = matches
				return `https://codepen.io/${user}/embed/${id}`
			}
			return
		},
		fromEmbedUrl: (url) => {
			const CODEPEN_EMBED_REGEXP = /https:\/\/codepen.io\/([^/]+)\/embed\/([^/]+)/
			const matches = url.match(CODEPEN_EMBED_REGEXP)
			if (matches) {
				const [_, user, id] = matches
				return `https://codepen.io/${user}/pen/${id}`
			}
			return
		},
	},
	{
		type: 'scratch',
		title: 'Scratch',
		hostnames: ['scratch.mit.edu'],
		width: 520,
		height: 400,
		doesResize: false,
		toEmbedUrl: (url) => {
			const SCRATCH_URL_REGEXP = /https?:\/\/scratch.mit.edu\/projects\/([^/]+)/
			const matches = url.match(SCRATCH_URL_REGEXP)
			if (matches) {
				const [_, id] = matches
				return `https://scratch.mit.edu/projects/embed/${id}`
			}
			return
		},
		fromEmbedUrl: (url) => {
			const SCRATCH_EMBED_REGEXP = /https:\/\/scratch.mit.edu\/projects\/embed\/([^/]+)/
			const matches = url.match(SCRATCH_EMBED_REGEXP)
			if (matches) {
				const [_, id] = matches
				return `https://scratch.mit.edu/projects/${id}`
			}
			return
		},
	},
	{
		type: 'youtube',
		title: 'YouTube',
		hostnames: ['*.youtube.com', 'youtube.com', 'youtu.be'],
		width: 800,
		height: 450,
		doesResize: true,
		overridePermissions: {
			'allow-presentation': true,
		},
		isAspectRatioLocked: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (!urlObj) return

			const hostname = urlObj.hostname.replace(/^www./, '')
			if (hostname === 'youtu.be') {
				const videoId = urlObj.pathname.split('/').filter(Boolean)[0]
				return `https://www.youtube.com/embed/${videoId}`
			} else if (
				(hostname === 'youtube.com' || hostname === 'm.youtube.com') &&
				urlObj.pathname.match(/^\/watch/)
			) {
				const videoId = urlObj.searchParams.get('v')
				return `https://www.youtube.com/embed/${videoId}`
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (!urlObj) return

			const hostname = urlObj.hostname.replace(/^www./, '')
			if (hostname === 'youtube.com') {
				const matches = urlObj.pathname.match(/^\/embed\/([^/]+)\/?/)
				if (matches) {
					return `https://www.youtube.com/watch?v=${matches[1]}`
				}
			}
			return
		},
	},
	{
		type: 'figma',
		title: 'Figma',
		hostnames: ['figma.com'],
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			if (
				!!url.match(
					// eslint-disable-next-line no-useless-escape
					/https:\/\/([\w\.-]+\.)?figma.com\/(file|proto)\/([0-9a-zA-Z]{22,128})(?:\/.*)?$/
				) &&
				!url.includes('figma.com/embed')
			) {
				return `https://www.figma.com/embed?embed_host=share&url=${url}`
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/^\/embed\/?$/)) {
				const outUrl = urlObj.searchParams.get('url')
				if (outUrl) {
					return outUrl
				}
			}
			return
		},
	},
	{
		type: 'google_maps',
		title: 'Google Maps',
		hostnames: ['google.*'],
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			if (url.includes('/maps/')) {
				const match = url.match(/@(.*),(.*),(.*)z/)
				let result: string
				if (match) {
					const [, lat, lng, z] = match
					const host = new URL(url).host.replace('www.', '')
					result = `https://${host}/maps/embed/v1/view?key=${process.env.NEXT_PUBLIC_GC_API_KEY}&center=${lat},${lng}&zoom=${z}`
				} else {
					result = ''
				}

				return result
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (!urlObj) return

			const matches = urlObj.pathname.match(/^\/maps\/embed\/v1\/view\/?$/)
			if (matches && urlObj.searchParams.has('center') && urlObj.searchParams.get('zoom')) {
				const zoom = urlObj.searchParams.get('zoom')
				const [lat, lon] = urlObj.searchParams.get('center')!.split(',')
				return `https://www.google.com/maps/@${lat},${lon},${zoom}z`
			}
			return
		},
	},
	{
		type: 'github_gist',
		title: 'Github Gist',
		hostnames: ['gist.github.com'],
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/\/([^/]+)\/([^/]+)/)) {
				return url
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/\/([^/]+)\/([^/]+)/)) {
				return url
			}
			return
		},
	},
	{
		type: 'replit',
		title: 'Replit',
		hostnames: ['replit.com'],
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/\/@([^/]+)\/([^/]+)/)) {
				return `${url}?embed=true`
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (
				urlObj &&
				urlObj.pathname.match(/\/@([^/]+)\/([^/]+)/) &&
				urlObj.searchParams.has('embed')
			) {
				urlObj.searchParams.delete('embed')
				return urlObj.href
			}
			return
		},
	},
	{
		type: 'felt',
		title: 'Felt',
		hostnames: ['felt.com'],
		width: 720,
		height: 500,
		doesResize: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/^\/map\//)) {
				return urlObj.origin + '/embed' + urlObj.pathname
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/^\/embed\/map\//)) {
				urlObj.pathname = urlObj.pathname.replace(/^\/embed/, '')
				return urlObj.href
			}
			return
		},
	},
	{
		type: 'spotify',
		title: 'Spotify',
		hostnames: ['open.spotify.com'],
		width: 720,
		height: 500,
		minHeight: 500,
		overrideOutlineRadius: 12,
		doesResize: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/^\/(artist|album)\//)) {
				return urlObj.origin + '/embed' + urlObj.pathname
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.pathname.match(/^\/embed\/(artist|album)\//)) {
				return urlObj.origin + urlObj.pathname.replace(/^\/embed/, '')
			}
			return
		},
	},
	{
		type: 'vimeo',
		title: 'Vimeo',
		hostnames: ['vimeo.com', 'player.vimeo.com'],
		width: 640,
		height: 360,
		doesResize: true,
		isAspectRatioLocked: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.hostname === 'vimeo.com') {
				if (urlObj.pathname.match(/^\/[0-9]+/)) {
					return (
						'https://player.vimeo.com/video/' + urlObj.pathname.split('/')[1] + '?title=0&byline=0'
					)
				}
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.hostname === 'player.vimeo.com') {
				const matches = urlObj.pathname.match(/^\/video\/([^/]+)\/?$/)
				if (matches) {
					return 'https://vimeo.com/' + matches[1]
				}
			}
			return
		},
	},
	{
		type: 'excalidraw',
		title: 'Excalidraw',
		hostnames: ['excalidraw.com'],
		width: 720,
		height: 500,
		doesResize: true,
		isAspectRatioLocked: true,
		toEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.hash.match(/#room=/)) {
				return url
			}
			return
		},
		fromEmbedUrl: (url) => {
			const urlObj = safeParseUrl(url)
			if (urlObj && urlObj.hash.match(/#room=/)) {
				return url
			}
			return
		},
	},
]

## tlEmbedShapePermissionDefaults.ts
export const tlEmbedShapePermissionDefaults = {
	// ========================================================================================
	// Disabled permissions
	// ========================================================================================
	// [MDN] Experimental: Allows for downloads to occur without a gesture from the user.
	// [REASON] Disabled because otherwise the <iframe/> trick the user on behalf of us to performing an action
	'allow-downloads-without-user-activation': false,
	// [MDN] Allows for downloads to occur with a gesture from the user.
	// [REASON] Disabled because otherwise the <iframe/> trick the user on behalf of us to performing an action
	'allow-downloads': false,
	// [MDN] Lets the resource open modal windows.
	// [REASON] The <iframe/> could 'window.prompt("Enter your tldraw password")'
	'allow-modals': false,
	// [MDN] Lets the resource lock the screen orientation.
	// [REASON] Would interfer with tldraw interface
	'allow-orientation-lock': false,
	// [MDN] Lets the resource use the Pointer Lock API.
	// [REASON] Maybe we should allow this for games embeds (scratch/codepen/codesandbox)
	'allow-pointer-lock': false,
	// [MDN] Allows popups (such as window.open(), target="_blank", or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
	// [REASON] We shouldn't allow popups as a embed could pretend to be us by opening a mocked version of tldraw. This is very unobvious when it is performed as an action within out app
	'allow-popups': true,
	// [MDN] Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
	// [REASON] We're alread disabling popups.
	'allow-popups-to-escape-sandbox': false,
	// [MDN] Lets the resource start a presentation session.
	// [REASON] Prevents embed from navigating away from tldraw and pretending to be us
	'allow-presentation': false,
	// [MDN] Experimental: Lets the resource request access to the parent's storage capabilities with the Storage Access API.
	// [REASON] We don't want anyone else to access our storage
	'allow-storage-access-by-user-activation': false,
	// [MDN] Lets the resource navigate the top-level browsing context (the one named _top).
	// [REASON] Prevents embed from navigating away from tldraw and pretending to be us
	'allow-top-navigation': false,
	// [MDN] Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
	// [REASON] Prevents embed from navigating away from tldraw and pretending to be us
	'allow-top-navigation-by-user-activation': false,
	// ========================================================================================
	// Enabled permissions
	// ========================================================================================
	// [MDN] Lets the resource run scripts (but not create popup windows).
	'allow-scripts': true,
	// [MDN] If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).
	'allow-same-origin': true,
	// [MDN] Allows the resource to submit forms. If this keyword is not used, form submission is blocked.
	'allow-forms': true,
} as const


/** @public */
export type TLEmbedShapePermissionName = keyof typeof tlEmbedShapePermissionDefaults
/** @public */
export type TLEmbedShapePermissions = { [K in TLEmbedShapePermissionName]?: boolean }
	type EmbedDefinition = {
	type: string
	title: string
	hostnames: string[]
	minWidth?: number
	minHeight?: number
	width: number
	height: number
	doesResize: boolean
	isAspectRatioLocked?: boolean
	// See file below
	overridePermissions?: TLEmbedShapePermissions
	// Some embeds have their own border radius for example spotify embeds
	overrideOutlineRadius?: number
	// Convert from a regular embed URL to an embed URL (e.g. `https://site.com/${id}` to `https://site.com/embed/${id}`)
	toEmbedUrl: (url: string) => string \| undefined
	// Convert from a an embed URL to a regular URL (e.g. `https://site.com/embed/${id} to `https://site.com/${id}``)
	fromEmbedUrl: (url: string) => string \| undefined
	}

	export const EMBED_DEFINITIONS: EmbedDefinition[] = [
	{
	type: 'tldraw',
	title: 'tldraw',
	hostnames: ['beta.tldraw.com', 'lite.tldraw.com'],
	minWidth: 300,
	minHeight: 300,
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(TLDRAW_APP_RE)) {
	return url
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(TLDRAW_APP_RE)) {
	return url
	}
	return
	},
	},
	{
	type: 'codesandbox',
	title: 'CodeSandbox',
	hostnames: ['codesandbox.io'],
	minWidth: 300,
	minHeight: 300,
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	const matches = urlObj && urlObj.pathname.match(/\/s\/([^/]+)\/?/)
	if (matches) {
	return `https://codesandbox.io/embed/${matches[1]}`
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	const matches = urlObj && urlObj.pathname.match(/\/embed\/([^/]+)\/?/)
	if (matches) {
	return `https://codesandbox.io/s/${matches[1]}`
	}
	return
	},
	},
	{
	type: 'codepen',
	title: 'Codepen',
	hostnames: ['codepen.io'],
	minWidth: 300,
	minHeight: 300,
	width: 520,
	height: 400,
	doesResize: true,
	toEmbedUrl: (url) => {
	const CODEPEN_URL_REGEXP = /https:\/\/codepen.io\/([^/]+)\/pen\/([^/]+)/
	const matches = url.match(CODEPEN_URL_REGEXP)
	if (matches) {
	const [_, user, id] = matches
	return `https://codepen.io/${user}/embed/${id}`
	}
	return
	},
	fromEmbedUrl: (url) => {
	const CODEPEN_EMBED_REGEXP = /https:\/\/codepen.io\/([^/]+)\/embed\/([^/]+)/
	const matches = url.match(CODEPEN_EMBED_REGEXP)
	if (matches) {
	const [_, user, id] = matches
	return `https://codepen.io/${user}/pen/${id}`
	}
	return
	},
	},
	{
	type: 'scratch',
	title: 'Scratch',
	hostnames: ['scratch.mit.edu'],
	width: 520,
	height: 400,
	doesResize: false,
	toEmbedUrl: (url) => {
	const SCRATCH_URL_REGEXP = /https?:\/\/scratch.mit.edu\/projects\/([^/]+)/
	const matches = url.match(SCRATCH_URL_REGEXP)
	if (matches) {
	const [_, id] = matches
	return `https://scratch.mit.edu/projects/embed/${id}`
	}
	return
	},
	fromEmbedUrl: (url) => {
	const SCRATCH_EMBED_REGEXP = /https:\/\/scratch.mit.edu\/projects\/embed\/([^/]+)/
	const matches = url.match(SCRATCH_EMBED_REGEXP)
	if (matches) {
	const [_, id] = matches
	return `https://scratch.mit.edu/projects/${id}`
	}
	return
	},
	},
	{
	type: 'youtube',
	title: 'YouTube',
	hostnames: ['*.youtube.com', 'youtube.com', 'youtu.be'],
	width: 800,
	height: 450,
	doesResize: true,
	overridePermissions: {
	'allow-presentation': true,
	},
	isAspectRatioLocked: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (!urlObj) return

	const hostname = urlObj.hostname.replace(/^www./, '')
	if (hostname === 'youtu.be') {
	const videoId = urlObj.pathname.split('/').filter(Boolean)[0]
	return `https://www.youtube.com/embed/${videoId}`
	} else if (
	(hostname === 'youtube.com' \|\| hostname === 'm.youtube.com') &&
	urlObj.pathname.match(/^\/watch/)
	) {
	const videoId = urlObj.searchParams.get('v')
	return `https://www.youtube.com/embed/${videoId}`
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (!urlObj) return

	const hostname = urlObj.hostname.replace(/^www./, '')
	if (hostname === 'youtube.com') {
	const matches = urlObj.pathname.match(/^\/embed\/([^/]+)\/?/)
	if (matches) {
	return `https://www.youtube.com/watch?v=${matches[1]}`
	}
	}
	return
	},
	},
	{
	type: 'figma',
	title: 'Figma',
	hostnames: ['figma.com'],
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	if (
	!!url.match(
	// eslint-disable-next-line no-useless-escape
	/https:\/\/([\w\.-]+\.)?figma.com\/(file\|proto)\/([0-9a-zA-Z]{22,128})(?:\/.*)?$/
	) &&
	!url.includes('figma.com/embed')
	) {
	return `https://www.figma.com/embed?embed_host=share&url=${url}`
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/^\/embed\/?$/)) {
	const outUrl = urlObj.searchParams.get('url')
	if (outUrl) {
	return outUrl
	}
	}
	return
	},
	},
	{
	type: 'google_maps',
	title: 'Google Maps',
	hostnames: ['google.*'],
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	if (url.includes('/maps/')) {
	const match = url.match(/@(.),(.),(.*)z/)
	let result: string
	if (match) {
	const [, lat, lng, z] = match
	const host = new URL(url).host.replace('www.', '')
	result = `https://${host}/maps/embed/v1/view?key=${process.env.NEXT_PUBLIC_GC_API_KEY}&center=${lat},${lng}&zoom=${z}`
	} else {
	result = ''
	}

	return result
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (!urlObj) return

	const matches = urlObj.pathname.match(/^\/maps\/embed\/v1\/view\/?$/)
	if (matches && urlObj.searchParams.has('center') && urlObj.searchParams.get('zoom')) {
	const zoom = urlObj.searchParams.get('zoom')
	const [lat, lon] = urlObj.searchParams.get('center')!.split(',')
	return `https://www.google.com/maps/@${lat},${lon},${zoom}z`
	}
	return
	},
	},
	{
	type: 'github_gist',
	title: 'Github Gist',
	hostnames: ['gist.github.com'],
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/\/([^/]+)\/([^/]+)/)) {
	return url
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/\/([^/]+)\/([^/]+)/)) {
	return url
	}
	return
	},
	},
	{
	type: 'replit',
	title: 'Replit',
	hostnames: ['replit.com'],
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/\/@([^/]+)\/([^/]+)/)) {
	return `${url}?embed=true`
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (
	urlObj &&
	urlObj.pathname.match(/\/@([^/]+)\/([^/]+)/) &&
	urlObj.searchParams.has('embed')
	) {
	urlObj.searchParams.delete('embed')
	return urlObj.href
	}
	return
	},
	},
	{
	type: 'felt',
	title: 'Felt',
	hostnames: ['felt.com'],
	width: 720,
	height: 500,
	doesResize: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/^\/map\//)) {
	return urlObj.origin + '/embed' + urlObj.pathname
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/^\/embed\/map\//)) {
	urlObj.pathname = urlObj.pathname.replace(/^\/embed/, '')
	return urlObj.href
	}
	return
	},
	},
	{
	type: 'spotify',
	title: 'Spotify',
	hostnames: ['open.spotify.com'],
	width: 720,
	height: 500,
	minHeight: 500,
	overrideOutlineRadius: 12,
	doesResize: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/^\/(artist\|album)\//)) {
	return urlObj.origin + '/embed' + urlObj.pathname
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.pathname.match(/^\/embed\/(artist\|album)\//)) {
	return urlObj.origin + urlObj.pathname.replace(/^\/embed/, '')
	}
	return
	},
	},
	{
	type: 'vimeo',
	title: 'Vimeo',
	hostnames: ['vimeo.com', 'player.vimeo.com'],
	width: 640,
	height: 360,
	doesResize: true,
	isAspectRatioLocked: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.hostname === 'vimeo.com') {
	if (urlObj.pathname.match(/^\/[0-9]+/)) {
	return (
	'https://player.vimeo.com/video/' + urlObj.pathname.split('/')[1] + '?title=0&byline=0'
	)
	}
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.hostname === 'player.vimeo.com') {
	const matches = urlObj.pathname.match(/^\/video\/([^/]+)\/?$/)
	if (matches) {
	return 'https://vimeo.com/' + matches[1]
	}
	}
	return
	},
	},
	{
	type: 'excalidraw',
	title: 'Excalidraw',
	hostnames: ['excalidraw.com'],
	width: 720,
	height: 500,
	doesResize: true,
	isAspectRatioLocked: true,
	toEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.hash.match(/#room=/)) {
	return url
	}
	return
	},
	fromEmbedUrl: (url) => {
	const urlObj = safeParseUrl(url)
	if (urlObj && urlObj.hash.match(/#room=/)) {
	return url
	}
	return
	},
	},
	]
	export const tlEmbedShapePermissionDefaults = {
	// ========================================================================================
	// Disabled permissions
	// ========================================================================================
	// [MDN] Experimental: Allows for downloads to occur without a gesture from the user.
	// [REASON] Disabled because otherwise the <iframe/> trick the user on behalf of us to performing an action
	'allow-downloads-without-user-activation': false,
	// [MDN] Allows for downloads to occur with a gesture from the user.
	// [REASON] Disabled because otherwise the <iframe/> trick the user on behalf of us to performing an action
	'allow-downloads': false,
	// [MDN] Lets the resource open modal windows.
	// [REASON] The <iframe/> could 'window.prompt("Enter your tldraw password")'
	'allow-modals': false,
	// [MDN] Lets the resource lock the screen orientation.
	// [REASON] Would interfer with tldraw interface
	'allow-orientation-lock': false,
	// [MDN] Lets the resource use the Pointer Lock API.
	// [REASON] Maybe we should allow this for games embeds (scratch/codepen/codesandbox)
	'allow-pointer-lock': false,
	// [MDN] Allows popups (such as window.open(), target="_blank", or showModalDialog()). If this keyword is not used, the popup will silently fail to open.
	// [REASON] We shouldn't allow popups as a embed could pretend to be us by opening a mocked version of tldraw. This is very unobvious when it is performed as an action within out app
	'allow-popups': true,
	// [MDN] Lets the sandboxed document open new windows without those windows inheriting the sandboxing. For example, this can safely sandbox an advertisement without forcing the same restrictions upon the page the ad links to.
	// [REASON] We're alread disabling popups.
	'allow-popups-to-escape-sandbox': false,
	// [MDN] Lets the resource start a presentation session.
	// [REASON] Prevents embed from navigating away from tldraw and pretending to be us
	'allow-presentation': false,
	// [MDN] Experimental: Lets the resource request access to the parent's storage capabilities with the Storage Access API.
	// [REASON] We don't want anyone else to access our storage
	'allow-storage-access-by-user-activation': false,
	// [MDN] Lets the resource navigate the top-level browsing context (the one named _top).
	// [REASON] Prevents embed from navigating away from tldraw and pretending to be us
	'allow-top-navigation': false,
	// [MDN] Lets the resource navigate the top-level browsing context, but only if initiated by a user gesture.
	// [REASON] Prevents embed from navigating away from tldraw and pretending to be us
	'allow-top-navigation-by-user-activation': false,
	// ========================================================================================
	// Enabled permissions
	// ========================================================================================
	// [MDN] Lets the resource run scripts (but not create popup windows).
	'allow-scripts': true,
	// [MDN] If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).
	'allow-same-origin': true,
	// [MDN] Allows the resource to submit forms. If this keyword is not used, form submission is blocked.
	'allow-forms': true,
	} as const


	/** @public */
	export type TLEmbedShapePermissionName = keyof typeof tlEmbedShapePermissionDefaults
	/** @public */
	export type TLEmbedShapePermissions = { [K in TLEmbedShapePermissionName]?: boolean }