HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Thumbnails for embedded private Vimeo videos

hello there,

can't figure out why embedded private vimeo videos do not show up with a thumbnail (just the play icon)?

it works fine for public vimeo videos and youtube links. just not Vimeo ones with restricted access ("Hidden on Vimeo.com"; "Embedd on selected domains only")

Anybody with similar issues... and a solution? ;)

probably has to do with how the video request works in Vanilla? (guess the answer could be found on the Vimeo developer page... if one knows what they are talking about. Unfortunately I don't. 😔)


  • Options

    Okay, might have been to broad a question? But if you could point me in the right direction might be great already. :)

    I found files dealing with embedding here: /library/Vanilla/EmbeddedContent

    no idea, how those factory or embed files work. but VimeoEmbedFactory.php seems to be processing the returned video meta data here:

           $data = [
               "embedType" => VimeoEmbed::TYPE,
               "url" => $url,
               "name" => $response["title"] ?? null,
               "height" => $response["height"] ?? null,
               "width" => $response["width"] ?? null,
               "photoUrl" => $response["thumbnail_url"] ?? null,
               "videoID" => $response["video_id"] ?? null,

    but how do i fetch it? as it needs to be changed for privat links. as outlined in this link the request should look similar to this...

    curl -e http://example.com https://vimeo.com/api/oembed.json?url=https:%2F%2Fvimeo.com%2F286898202

    But I dont quite understand, how this curl-function would be used in Vanilla?

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    As far as I know, it's the server that fetches the video, not the user. So if the video is private, the server cannot access it although the users browser can.

  • Options

    Not sure if i understand. but the videos can be accessed. they are just missing the thumbnail. and vimeo says that the full info (including the thumbnails) has to be requested differently from regular public videos.

    you are saying, that curl-command/function/... would be something that is happening on the server level? but vanilla has to request the video somewhere, right?

    (sorry, but i don't have the slightest clue what is happening or what i am talking about. thanks for reading it anyway. ;) )

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    No problem, I'll explain it in another way:

    1. You can see the video because you are logged in to your account. That means that there is some cookie saved in your browser which tells vimeo who you are and that you have the needed rights to the view the video
    2. When you post a text to Vanilla, you post text, even if that text is a link. It's nothing more than some letters and numbers. When you upload a file to Vanilla you upload a file. But if you post a link to a video, you only post the link (only characters, no file)
    3. The rich embedding in Vanilla takes links and tries to generate nice previews from it. The Vanilla php files do so. The php script is running on your server. So it is your server that requests the videos from Vimeo. When your server requests the video it is not authenticated but some anonymous guest to Vimeo
    4. When you request a previously posted comment where a private video link is enclosed, you get in returned what has been posted and what the server can make of it: all text and links are nicely formatted and if there was some media in there, Vanillas php scripts try to generate the preview...
    5. ... but for private videos they fail because they would need some authentication which certainly hasn't been done. You need to authenticate to Vimeo everytime you change your browser and if the server should access vimeo with your account you would have to authenticate those requests to Vimeo anyhow and you know that you haven't done that at any time.
    6. And I don't think that would be a good idea. Not sure which possibilities you have but if the requests to vimeo that Vanilla is making are done with your user account, how could you ensure that there isn't a link like vimeo.com/myprofile/delete-my-account isn't posted?

    Okay, that last point is a bit paranoid and I might be wrong there. But I just wanted to stress that if an implementation is done wrong, it opens security issues.

  • Options

    I am really sorry, but I still didn't get it. 🙈

    But a new question came up...

    tl;dr : How do I set the referrer URL in my Vanilla request for Video info?


    If you have another peek at the Vimeo API info I posted earlier, at the very beginning, they are talking about a GET function.

    To get an oEmbed response for a video on Vimeo, send a GET request to the following URL:

    GET https://vimeo.com/api/oembed.json?url={video_url}

    In VimeoEmbedFactory.php the video info is requested here:

    class VimeoEmbedFactory extends AbstractEmbedFactory {
       const DOMAINS = ["vimeo.com"];
        const OEMBED_URL_BASE = "https://vimeo.com/api/oembed.json";

    e.g. withhttps://vimeo.com/api/oembed.json?url=https://vimeo.com/31043422

    I get all the correct info in the browser. But the same doesnt work for white-listed videos (I can only embed a video on certain URLs) as stated in the API description:

    Step 1 in the previous section assumes that you're embedding a video with the public privacy setting. But for videos with the whitelist privacy setting — that is, videos with domain-level privacy — the results are a little different. The oEmbed request returns a simplified response containing no private metadata [...]

    To get the complete response, including the private metadata, send the Referer header with the request, and set its value to the video's whitelisted domain. Here's what the request looks like in cURL (with the -e option, which gives you the Referer header) [...]

    ... and that's where they lost me. 😩

    So I guess the real question should have been:

    How do I set the referrer URL in my Vanilla request for Video info to Vimeo?

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    Okay, I was a little bit too hasty in the beginning. I saw "private videos" in the title and I had assumed that those videos are only accessible for users with access rights. Only now I have realized that you have explained it further as videos "Embedd on selected domains only".

    Since you must send additional data when the video information is fetched, this code in the VimeoEmbedFactory is relevant:

       public function createEmbedForUrl(string $url): AbstractEmbed {
           $response = $this->httpClient->get(
               ["url" => $url]

    This lines start the request where your referrer should be enclosed. I can think of three ways to ensure that.

    1. (Worst but easiest) Change that code. The HttpClients get method allows specifying a custom header:

       public function createEmbedForUrl(string $url): AbstractEmbed {
           $response = $this->httpClient->get(
               ["url" => $url],
               ['REFERER' => 'your-whitelisted-domain.de']

    2. You can set default headers which will be send with every request the HttpClient starts. WHile this is slightly better than the above in terms of how you should extend Vanilla, it takes influence on each and every request the client initiates. Therefore I don't like that.

    3. In theory it should be possible to replace which class is used as VimeoEmbedFactory. Instead of changing the original file, copying, changing the copy and let that copy be the default for Vimeo embeds would be the cleanest approach.

    I was interested if 3. would be as "easy" as I thought and therefore I tested something. Please try the attached plugin. You need to edit line 58 of MyVimeoEmbedFactory.php

    Not sure if this already works, but at least that file is used for Vimeo requests which makes it cleaner (than editing core files) if you want to test something

  • Options

    Please try the attached plugin.

    That was it. works like a charm... again. Thanks a lot! 🙌

    Would you suggest we just keep using that plugin on the live board?

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    For sure, that's the only clean approach, I'd say

  • Options
    R_JR_J Ex-Fanboy Munich Admin

    By the way: thanks for the feedback! I wasn't that sure that it would really work ;-)

  • Options

    Hi @R_J,

    sorry, but I have an additional issue:

    The videos now have thumbnails ...although unfortunately, I have to edit and re-embed every single video to fetch the thumbnail, but it works! 🙌

    What doesn't work is displaying the thumbnail correctly. Or rather getting a correct thumb. The thumbnails are always in landscape orientation and seem cropped (so a portrait video would be just the cropped center part in landscape orientation). Plus the image is somehow zoomed in. (See an example below.)

    I couldn't see any width/ heigth "numbers" in your plugin, so I am assuming it is just requesting "the" thumbnail for the video. But do you think there is a chance of editing which thumbnail Vanilla fetches?



    The thumbnail I get...

    How it looks on the board...

    What I was hoping to see...

Sign In or Register to comment.