[wp-trac] [WordPress Trac] #58120: oEmbed Mastodon
WordPress Trac
noreply at wordpress.org
Fri Apr 14 03:46:38 UTC 2023
#58120: oEmbed Mastodon
-----------------------------+------------------------------
Reporter: mediaformat | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by peterwilsoncc):
Replying to [comment:6 Otto42]:
> Note that adding `allow-same-origin` to the sandbox will also make the
styling happen correctly.
>
> ...snip...
>
> I am uncertain of the security implications for this. Nevertheless, it
is a viable option rather than eliminating sandbox security entirely.
It's quite unwise, I am afraid. Per the notes on
[https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe MDN's
iframe page]:
> When the embedded document has the same origin as the embedding page, it
is **strongly discouraged** to use both `allow-scripts` and `allow-same-
origin`, as that lets the embedded document remove the `sandbox` attribute
— making it no more secure than not using the sandbox attribute at all.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58120#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list