[wp-trac] [WordPress Trac] #36755: Native oEmbed support on Custom Post Types produces Cross-site scripting errors or are not rendered at all.

WordPress Trac noreply at wordpress.org
Wed May 11 04:03:58 UTC 2016


#36755: Native oEmbed support on Custom Post Types produces Cross-site scripting
errors or are not rendered at all.
-------------------------------+------------------------------
 Reporter:  webdevmattcrom     |       Owner:
     Type:  defect (bug)       |      Status:  new
 Priority:  normal             |   Milestone:  Awaiting Review
Component:  TinyMCE            |     Version:  4.5.1
 Severity:  normal             |  Resolution:
 Keywords:  needs-screenshots  |     Focuses:  javascript
-------------------------------+------------------------------

Comment (by webdevmattcrom):

 Replying to [comment:9 andtrev]:
 > I also see this JS error message on other pages like
 https://www.mattcromwell.com/hi-im-matt/about-me/ :
 > {{{
 > Failed to execute 'postMessage' on 'DOMWindow': The target origin
 provided ('https://www.mattcromwell.com') does not match the recipient
 window's origin ('null').
 https://js.stripe.com/v2/channel.html?stripe_xdm_e=https%3A%2F%2Fwww.mattcromwell.com&stripe_xdm_c=default286544&stripe_xdm_p=1
 > }}}

 Actually, the Stripe error and others are being triggered because of the
 oEmbed problem. It's a cross-site scripting error because Stripe is trying
 to be loaded from inside the oEmbed but the source is registering as
 "null".

 To clarify that a bit more, I removed all the oEmbed widgets from my site,
 except on one post.

 You can see the errors here where the native oEmbed is in the footer:
 https://www.mattcromwell.com/commentary-on-mullenweg-interview/

 But check any other page and there are zero errors.

 > When I navigate to the oembed url for the post you're embedding I get a
 404: https://www.mattcromwell.com/wp-
 json/oembed/1.0/embed?url=https%3A%2F%2Fwww.mattcromwell.com%2Fget-
 analytify%2F

 Where are you getting that URL from? The URL I pasted into that widget is:
 https://www.mattcromwell.com/promotions/get-analytify/

 But I did test this again locally with Twenty Fifteen just now and the
 oEmbed worked as expected. What is strange is how so many others have been
 able to duplicate this problem consistently (see the Twenty Sixteen Github
 issue link above). Perhaps in the end this might not be an actual "bug"
 but the behavior definitely is buggy.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36755#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list