[wp-trac] [WordPress Trac] #44400: Adjust `sandbox` attribute for Sutori embeds via oEmbed discovery

WordPress Trac noreply at wordpress.org
Mon Jun 18 21:57:00 UTC 2018 

#44400: Adjust `sandbox` attribute for Sutori embeds via oEmbed discovery
-------------------------+-------------------------------------------------
 Reporter:  yoran        |      Owner:  (none)
     Type:  feature      |     Status:  new
  request                |
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Embeds       |    Version:
 Severity:  normal       |   Keywords:  dev-feedback 2nd-opinion reporter-
  Focuses:               |  feedback
-------------------------+-------------------------------------------------
 == Description
 We provide an oEmbed endpoint. Its discovery in WordPress works but the
 resulting embed is not working due to a security restriction on the
 `<iframe>` embed. More specifically, setting `sandbox="allow-scripts
 allow-same-origin"` instead of `sandbox="allow-scripts"` (the default)
 results in a functioning embed. You can view a
 [https://codepen.io/YoranBrondsema/pen/OEzpbb non-working embed here] and
 [https://codepen.io/YoranBrondsema/pen/VdyppY a working embed].

 We've had multiple users requesting to embed Sutori into their WordPress
 blog so therefore we would like to find a solution.

 We see two options:

 1. Adding an exception to the embed code sanitizer used by oEmbed
 Discovery to add the `allow-same-origin` permission on the `sandbox`
 attribute.
 2. Whitelist Sutori as a provider.

 We think the first option would be less intrusive for the WordPress
 codebase and sufficient for our use cases. Our full embed code adds
 `<script>` tags in order to automatically adjust the height of the iframe
 according to the content. These tags are stripped by the WordPress
 sanitizer, effectively fixing the height of the iframe and adding a
 scrollbar.

 Before we submit a patch, we would like to hear the opinion of WordPress
 contributors whether you think the first option is also the best way to go
 from WordPress' point of view.

 == About Sutori
 [https://www.sutori.com Sutori] is a collaborative visual story builder
 that helps students garner 21st century skills of collaboration,
 creativity, critical thinking and communication.

 === Is the service is popular enough for core developers to have heard of
 it before? Is it “mainstream?”

 At the time of writing, Sutori has over 800,000 users around the world.
 About 80% of those are K-12 students and teachers.

 === If similar services are already supported, how does this service
 compare in terms of size, features, and backing?

 There are other presentation tools supported in WordPress (SlideShare,
 Speaker Deck) but none of them are education-focused. Sutori would be the
 first one.

 === Does this service have a large following on Twitter, Facebook, or
 other social media?  Is its Twitter account verified?

 The Twitter account (https://twitter.com/SutoriApp) has about 3300
 followers.

 === Is its oEmbed endpoint clearly established and properly documented?
 (Sometimes, they are just a developer’s pet project that may not be
 supported.)

 The endpoint is documented on https://oembed.com/.

 === Does the oEmbed endpoint work with WordPress’ oEmbed auto-discovery?
 If not, could it be made to work with additional HTML tags or attributes
 being whitelisted?

 See explanation above. It is discovered but the `sandbox` attribute on the
 iframe is too restrictive.

 === Does the service make an effort to build relationships with
 developers, such as through robust APIs?

 Sutori does not have an open API. It is implemented as a single-page
 application so the frontend is the sole consumer of the API.

 === How old is the service?
 We launched in 2014.

 === Does it have a well-established Wikipedia article? (Seriously.)
 Sutori does not have a Wikipedia article.

 === Has anyone written a WordPress plugin that leverages the service in
 some way, whether adding it as an oEmbed provider, creating a shortcode,
 or leveraging other APIs of the service? Do these plugins have any
 noticeable adoption or traction that would indicate usage and demand?

 As far as we know, there is no WordPress plugin that leverages Sutori.

 === Is the provider frequently proposed?

 This is the first time.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44400>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list