[wp-trac] [WordPress Trac] #32522: oEmbed WordPress Posts in WordPress Posts

WordPress Trac noreply at wordpress.org
Thu Jul 16 00:24:12 UTC 2015 

#32522: oEmbed WordPress Posts in WordPress Posts
-------------------------+------------------------------
 Reporter:  melchoyce    |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Embeds       |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration
-------------------------+------------------------------

Comment (by Viper007Bond):

 As cool as this would be, I'm not sure how feasible it is. oEmbed requires
 too much trust. If we do this, it's going to require some very major
 rethinking of the whole embeds process in WordPress. It's a much, much
 larger discussion than just "let's embed WordPress posts".

 oEmbed discovery is currently disabled within WordPress. That means if the
 URL doesn't match [https://core.trac.wordpress.org/browser/tags/4.2.2/src
 /wp-includes/class-oembed.php#L32 the oEmbed whitelist], then it's ignored
 and becomes a regular clickable link.

 Allowing you to embed a post from any WordPress-powered website would
 require turning oEmbed discovery on. That means for a URL that isn't on
 the whitelist, we would connect to the URL and inspect the `<head>`
 looking for oEmbed tags. If we found one, we'd connect to the endpoint and
 be given HTML that would then be inserted right into the post.

 That works only if we trust the remote site to provide us with safe HTML.
 It's why we have the whitelist and only add sites that we are confident
 aren't going to start returning malicious HTML. If YouTube wanted to, they
 could inject bad HTML into millions of WordPress sites pretty easily.

 So for any site that's not on the whitelist, we would need to apply some
 type of sanitization to the response, such as ignoring any response that
 isn't the `rich` type. We then run the HTML through kses to strip it down
 to safe HTML (formatting and links, maybe even less). We'd then build the
 embed HTML locally and inject the safe, remote text (title, content, etc.)
 into it.

 iframes aren't a solution either for a number of reasons. What if a post
 from my tiny little website gets embedded into a popular website? First
 off, my server is then being hammered with traffic. Secondly, I could then
 abuse that and have my website serve different content such as
 advertisements or even disgusting images. The content that the popular
 website expected to be displayed is not longer being displayed. Everything
 needs to be local.

 We also need to make sure we aren't ever expiring caches of the local
 content. If the remote post is edited, we need to '''not''' be pulling
 down an updated copy because again, the other site could edit their post
 to contain lots of explicit content.

 Images need to be mirrored locally for the exact same reason. I don't want
 to embed your image on my site only to have you replace the image with
 something else.

 The list goes on from there on things to think about in order to make this
 safe.

 It's not as straightforward as it seems.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32522#comment:32>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list