[wp-trac] [WordPress Trac] #10337: Easier embeds for 2.9 (oEmbed perhaps?)
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 17 14:32:49 UTC 2009
#10337: Easier embeds for 2.9 (oEmbed perhaps?)
-------------------------------------+--------------------------------------
Reporter: ryan | Owner: Viper007Bond
Type: task (blessed) | Status: closed
Priority: normal | Milestone: 2.9
Component: Shortcodes | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch needs-testing |
-------------------------------------+--------------------------------------
Comment(by Otto42):
Replying to [comment:74 Viper007Bond]:
> We're saving people from themselves. It's not "crippled" as you call it,
it's just limited to a whitelist so the novice user doesn't screw
themselves over.
Limiting it to a whitelist of sites is what makes it "crippled". The whole
point of oEmbed is to not be limited to selected sites, but to work with
any site.
Without discovery, oEmbed is basically unnecessary, you can just use a
plugin to add compatibility for each site using whatever methods that site
supports.
> If a user happened to paste the URL to something on my blog on it's own
line and unhyperlinked, I could easily make that URL turn into a bit of
code that'd steal their login cookies without them ever knowing. Then I'd
have full access to their blog.
There's better ways. Even says so in the oEmbed document itself:
"Consumers may wish to load the HTML in an off-domain iframe to avoid XSS
vulnerabilities."
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10337#comment:75>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list