[wp-trac] [WordPress Trac] #39097: Links in embeds can't be opened in a new tab

WordPress Trac noreply at wordpress.org
Fri Apr 19 01:32:00 UTC 2019

#39097: Links in embeds can't be opened in a new tab
 Reporter:  smerriman                  |       Owner:  (none)
     Type:  defect (bug)               |      Status:  reopened
 Priority:  normal                     |   Milestone:  Awaiting Review
Component:  Embeds                     |     Version:  4.4
 Severity:  normal                     |  Resolution:
 Keywords:  needs-patch needs-testing  |     Focuses:

Comment (by swissspidy):

 That is a pretty accurate background summary, yes.

 > Could we remove the postMessage JS entirely, and instead use a value for
 the sandbox attribute which would allow links to work, without introducing
 security side-effects? allow-top-navigation was rejected, but it doesn't
 seem like allow-top-navigation-by-user-activation was considered.

 To be fair, `allow-top-navigation-by-user-activation` was added in to
 Chrome in 2018, 3 years after we added oEmbed to WordPress. So this was
 not a thing at the time. Happy to give that a try now.

 > It seems like the only remaining JS might be the sharing button, which
 could be redesigned to not require JS.

 Not really an option a) because JS is required to improve the
 accessibility of the menu and b) postMessage is needed so that the iframe
 can inform the host site of its size, so that it can be resized
 accordingly (responsiveness).

 > Could we use allow-popups or allow-popups-to-escape-sandbox in some way?

 Happy to give that option a try as well.

 > Maybe the WP oEmbed provider can supply the WP oEmbed consumer with the
 raw data via JSON, and the consumer can sanitize and then render the HTML?

 There were plenty of discussions back in 2015 when we worked on oEmbed.
 The consensus was that the embedded site should be in control of the
 content and layout of the embed. It was not about being able to add "cool

 > Maybe the postMessage from the source server to the host server could
 tell the host server if it was a middle/cmd click. If it is, then the host
 could open it in a new tab.

 That is what we have explored in #35239. Please read through that ticket
 to see why that isn't feasible. tl:dr: back compat and user interaction.

 > Are there examples of other embeds solving this problem

 Not that I am currently aware of. WordPress is rather restrictive with
 embeds compared to others.

Ticket URL: <https://core.trac.wordpress.org/ticket/39097#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list