[wp-trac] [WordPress Trac] #32522: oEmbed WordPress Posts in WordPress Posts
noreply at wordpress.org
Thu Jul 16 00:24:12 UTC 2015
#32522: oEmbed WordPress Posts in WordPress Posts
Reporter: melchoyce | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration
Comment (by Viper007Bond):
As cool as this would be, I'm not sure how feasible it is. oEmbed requires
too much trust. If we do this, it's going to require some very major
rethinking of the whole embeds process in WordPress. It's a much, much
larger discussion than just "let's embed WordPress posts".
oEmbed discovery is currently disabled within WordPress. That means if the
URL doesn't match [https://core.trac.wordpress.org/browser/tags/4.2.2/src
/wp-includes/class-oembed.php#L32 the oEmbed whitelist], then it's ignored
and becomes a regular clickable link.
Allowing you to embed a post from any WordPress-powered website would
require turning oEmbed discovery on. That means for a URL that isn't on
the whitelist, we would connect to the URL and inspect the `<head>`
looking for oEmbed tags. If we found one, we'd connect to the endpoint and
be given HTML that would then be inserted right into the post.
That works only if we trust the remote site to provide us with safe HTML.
It's why we have the whitelist and only add sites that we are confident
aren't going to start returning malicious HTML. If YouTube wanted to, they
could inject bad HTML into millions of WordPress sites pretty easily.
So for any site that's not on the whitelist, we would need to apply some
type of sanitization to the response, such as ignoring any response that
isn't the `rich` type. We then run the HTML through kses to strip it down
to safe HTML (formatting and links, maybe even less). We'd then build the
embed HTML locally and inject the safe, remote text (title, content, etc.)
iframes aren't a solution either for a number of reasons. What if a post
from my tiny little website gets embedded into a popular website? First
off, my server is then being hammered with traffic. Secondly, I could then
abuse that and have my website serve different content such as
advertisements or even disgusting images. The content that the popular
website expected to be displayed is not longer being displayed. Everything
needs to be local.
We also need to make sure we aren't ever expiring caches of the local
content. If the remote post is edited, we need to '''not''' be pulling
down an updated copy because again, the other site could edit their post
to contain lots of explicit content.
Images need to be mirrored locally for the exact same reason. I don't want
to embed your image on my site only to have you replace the image with
The list goes on from there on things to think about in order to make this
It's not as straightforward as it seems.
Ticket URL: <https://core.trac.wordpress.org/ticket/32522#comment:32>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac