[wp-trac] [WordPress Trac] #36755: Native oEmbed support on Custom Post Types produces Cross-site scripting errors or are not rendered at all.

WordPress Trac noreply at wordpress.org
Thu May 5 07:30:12 UTC 2016 

#36755: Native oEmbed support on Custom Post Types produces Cross-site scripting
errors or are not rendered at all.
-------------------------------+------------------------------
 Reporter:  webdevmattcrom     |       Owner:
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  TinyMCE            |     Version:  4.5.1
 Severity:  normal             |  Resolution:
 Keywords:  needs-screenshots  |     Focuses:  javascript
-------------------------------+------------------------------

Comment (by andtrev):

 When I navigate to the oembed url for the post you're embedding I get a
 404: https://www.mattcromwell.com/wp-
 json/oembed/1.0/embed?url=https%3A%2F%2Fwww.mattcromwell.com%2Fget-
 analytify%2F

 I also see this JS error message on other pages like
 https://www.mattcromwell.com/hi-im-matt/about-me/ :
 {{{
 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided
 ('https://www.mattcromwell.com') does not match the recipient window's
 origin ('null').
 https://js.stripe.com/v2/channel.html?stripe_xdm_e=https%3A%2F%2Fwww.mattcromwell.com&stripe_xdm_c=default286544&stripe_xdm_p=1
 }}}

 This is from Stripe, not sure if this is caused because of the other JS
 errors, but the errors aren't limited to oembed.

 Replying to [comment:7 webdevmattcrom]:
 >
 > This result is currently live on my site. See far bottom right footer
 widget:
 > https://www.mattcromwell.com/ro-fawp-politics/
 >
 > Here's the copy of both of those errors:
 >
 > {{{
 > Uncaught SecurityError: Failed to read the 'cookie' property from
 'Document': The document is sandboxed and lacks the 'allow-same-origin'
 flag.
 > }}}
 >
 > {{{
 > Failed to execute 'postMessage' on 'DOMWindow': The target origin
 provided ('https://www.mattcromwell.com') does not match the recipient
 window's origin ('null').
 > script.js:474 Uncaught SecurityError: Failed to read the 'cookie'
 property from 'Document': The document is sandboxed and lacks the 'allow-
 same-origin' flag.
 > }}}
 >
 > {{{
 > Uncaught SecurityError: Failed to read the 'cookie' property from
 'Document': The document is sandboxed and lacks the 'allow-same-origin'
 flag.
 > }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36755#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list