[wp-trac] [WordPress Trac] #28507: Secure oEmbeds

WordPress Trac noreply at wordpress.org
Thu May 23 21:23:59 UTC 2019 

#28507: Secure oEmbeds
----------------------------+--------------------------
 Reporter:  johnbillion     |       Owner:  johnbillion
     Type:  task (blessed)  |      Status:  closed
 Priority:  normal          |   Milestone:  5.3
Component:  Embeds          |     Version:
 Severity:  normal          |  Resolution:  fixed
 Keywords:  ongoing https   |     Focuses:
----------------------------+--------------------------
Description changed by johnbillion:

Old description:

> We need to audit our oEmbed providers and determine:
>
>  * Which ones don't support embedding an `https` URL
>  * Which ones don't support embedding content over SSL
>
> If we have providers in core which do not support embedding content over
> SSL then we (or the WP.com team) should make contact and see if they're
> open to implementing it. This is pretty much a prerequisite for #28249 as
> it stands.
>
> ----
>
> Problem providers:
>
> None!
>
> Recently fixed providers:
>
>  * '''flic.kr''' - HTTPS everywhere. Regex corrected in r28834.
>  * '''slideshare.net''' - HTTPS embeds since r28834.
>  * '''wordpress.tv''' - HTTPS embeds for HTTPS URLs.
>  * '''meetup.com''' and '''meetu.ps'''- HTTPS embeds for HTTPS URLs.
>  * '''instagram.com''' - HTTPS everywhere since r31710.
>  * '''instagr.am''' - HTTPS URLs are now supported.
>  * '''dailymotion.com''' - Uses the HTTPS oEmbed endpoint since r34587.
>  * '''dai.ly''' - Cert is now valid for the dai.ly domain.
>  * '''smugmug.com''' - Embeds now use HTTPS by default.
>  * '''funnyordie.com''' - Embeds are now protocol-relative and cert is
> now valid.
>  * '''imgur.com''' - Embeds are now protocol-relative.
>  * '''collegehumor.com''' - HTTPS embeds for HTTPS URLs.
>  * '''animoto.com''' and '''video214.com''' - Embeds now use HTTPS by
> default. See also r34588.
>  * '''kck.st''' - Cert is now valid for the kck.st domain.
>  * '''poll.fm''' - Cert is now valid for the poll.fm domain, redirects to
> crowdsignal.com
>  * '''photobucket.com''' - Removed in #45399
>  * '''hulu.com'''HTTPS everywhere since r45385.
>
> Ok providers:
>
>  * '''youtube.com''' and '''youtu.be''' - HTTPS everywhere.
>  * '''vimeo.com''' - Embeds are protocol-relative.
>  * '''flickr.com''' - HTTPS everywhere (same for flic.kr).
>  * '''polldaddy.com''' - Embeds are served over HTTPS if the parent
> container uses HTTPS. Effectively protocol-relative via JavaScript.
>  * '''twitter.com''' - HTTPS everywhere.
>  * '''soundcloud.com''' - HTTPS everywhere. (Minor note: their oEmbed
> response includes an `http` URL for the thumbnail on their CDN, but it
> resolves over `https` if you change it.)
>  * '''rdio.com''' and '''rd.io''' - HTTPS embeds by default.
>  * '''spotify.com''' - HTTPS everywhere.
>  * '''issuu.com''' - Embeds are served over HTTPS if the parent container
> uses HTTPS. Effectively protocol-relative via JavaScript.
>  * '''mixcloud.com''' - Embeds are protocol-relative.
>  * '''tumblr.com''' - Embeds are partly HTTPS and partly protocol-
> relative.
>  * '''vine.co''' - HTTPS everywhere.
>  * '''scribd.com''' - HTTPS embeds by default.
>  * '''ted.com''' - HTTPS embeds for HTTPS URLs.
>  * '''videopress.com''' - HTTPS embeds for HTTPS URLs.
>  * '''reverbnation.com''' - HTTPS embeds by default.
>  * '''speakerdeck.com''' - Embeds are protocol-relative.
>  * '''facebook.com''' - HTTPS everywhere.

New description:

 We need to audit our oEmbed providers and determine:

  * Which ones don't support embedding an `https` URL
  * Which ones don't support embedding content over SSL

 If we have providers in core which do not support embedding content over
 SSL then we (or the WP.com team) should make contact and see if they're
 open to implementing it. This is pretty much a prerequisite for #28249 as
 it stands.

 ----

 Problem providers:

 None!

 Recently fixed providers:

  * '''flic.kr''' - HTTPS everywhere. Regex corrected in r28834.
  * '''slideshare.net''' - HTTPS embeds since r28834.
  * '''wordpress.tv''' - HTTPS embeds for HTTPS URLs.
  * '''meetup.com''' and '''meetu.ps'''- HTTPS embeds for HTTPS URLs.
  * '''instagram.com''' - HTTPS everywhere since r31710.
  * '''instagr.am''' - HTTPS URLs are now supported.
  * '''dailymotion.com''' - Uses the HTTPS oEmbed endpoint since r34587.
  * '''dai.ly''' - Cert is now valid for the dai.ly domain.
  * '''smugmug.com''' - Embeds now use HTTPS by default.
  * '''funnyordie.com''' - Embeds are now protocol-relative and cert is now
 valid.
  * '''imgur.com''' - Embeds are now protocol-relative.
  * '''collegehumor.com''' - HTTPS embeds for HTTPS URLs.
  * '''animoto.com''' and '''video214.com''' - Embeds now use HTTPS by
 default. See also r34588.
  * '''kck.st''' - Cert is now valid for the kck.st domain.
  * '''poll.fm''' - Cert is now valid for the poll.fm domain, redirects to
 crowdsignal.com
  * '''photobucket.com''' - Removed in #45399
  * '''hulu.com''' - HTTPS everywhere since r45385.

 Ok providers:

  * '''youtube.com''' and '''youtu.be''' - HTTPS everywhere.
  * '''vimeo.com''' - Embeds are protocol-relative.
  * '''flickr.com''' - HTTPS everywhere (same for flic.kr).
  * '''polldaddy.com''' - Embeds are served over HTTPS if the parent
 container uses HTTPS. Effectively protocol-relative via JavaScript.
  * '''twitter.com''' - HTTPS everywhere.
  * '''soundcloud.com''' - HTTPS everywhere. (Minor note: their oEmbed
 response includes an `http` URL for the thumbnail on their CDN, but it
 resolves over `https` if you change it.)
  * '''rdio.com''' and '''rd.io''' - HTTPS embeds by default.
  * '''spotify.com''' - HTTPS everywhere.
  * '''issuu.com''' - Embeds are served over HTTPS if the parent container
 uses HTTPS. Effectively protocol-relative via JavaScript.
  * '''mixcloud.com''' - Embeds are protocol-relative.
  * '''tumblr.com''' - Embeds are partly HTTPS and partly protocol-
 relative.
  * '''vine.co''' - HTTPS everywhere.
  * '''scribd.com''' - HTTPS embeds by default.
  * '''ted.com''' - HTTPS embeds for HTTPS URLs.
  * '''videopress.com''' - HTTPS embeds for HTTPS URLs.
  * '''reverbnation.com''' - HTTPS embeds by default.
  * '''speakerdeck.com''' - Embeds are protocol-relative.
  * '''facebook.com''' - HTTPS everywhere.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/28507#comment:83>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list