[wp-trac] [WordPress Trac] #58120: oEmbed Mastodon
WordPress Trac
noreply at wordpress.org
Fri Apr 14 01:05:03 UTC 2023
#58120: oEmbed Mastodon
-----------------------------+------------------------------
Reporter: mediaformat | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by peterwilsoncc):
For oembed iframes inserted via auto-discovery, WordPress adds the
attributes `sandbox="allow-scripts" security="restricted"`.
In my testing, removing the `sandbox` attribute from the iframe causes the
Mastodon oembeds to work: scripts and styles load as expected.
Unfortunately WordPress can't remove the attribute from embeds permitted
via auto-discovery for security reasons.
An exception is made for sites on the oembed allow-list (YouTube, Twitter,
etc) but due to the nature of of Mastodon, it's impractical for WP to add
each instance to the allow-lost. WordPress would need to review the embed
JavaScript for each instance to ensure that `nasty-hackers dot social`
hasn't modified the code from the default.
As such I think this needs to be resolved upstream by mastodon:
* ensure the embeds work with only the attributes in the WP html embed
allow list (see [https://github.com/WordPress/wordpress-
develop/blob/13a3c4c7f4c0d7e1da13edaf690dabe587ce9d80/src/wp-
includes/embed.php#L894-L973 wp_filter_oembed_result()]
* use the mastodon embed.js file to enhance the embed's iframe for admin
users using the full embed code
I've created an upstream ticket in the hope the Mastodon folks can help
address this, see [https://github.com/mastodon/mastodon/issues/24534
mastodon/mastodon#24534]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58120#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list