[wp-trac] [WordPress Trac] #28507: Secure oEmbeds

WordPress Trac noreply at wordpress.org
Wed Aug 13 00:10:59 UTC 2014


#28507: Secure oEmbeds
----------------------------+-----------------------------
 Reporter:  johnbillion     |       Owner:  johnbillion
     Type:  task (blessed)  |      Status:  accepted
 Priority:  normal          |   Milestone:  Future Release
Component:  Embeds          |     Version:
 Severity:  normal          |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+-----------------------------
Description changed by johnbillion:

Old description:

> We need to audit our oEmbed providers and determine:
>
>  * Which ones don't support embedding an `https` URL
>  * Which ones don't support embedding content over SSL
>
> If we have providers in core which do not support embedding content over
> SSL then we (or the WP.com team) should make contact and see if they're
> open to implementing it. This is pretty much a prerequisite for #28249 as
> it stands.
>
> ----
>
> Problem providers:
>
> ||=Provider=||=Core supports HTTPS URL=||=Endpoint recognises HTTPS
> URL||Embed supports HTTPS=||=Notes=||
> ||blip.tv||'''No'''||'''[http://blip.tv/oembed?url=https://blip.tv/stylestar/shine-6866879
> No]'''||-||Their website resolves over SSL but is broken||
> ||dailymotion.com||Yes||[http://www.dailymotion.com/services/oembed?url=https://www.dailymotion.com/video
> /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
> end_news Yes]||Nearly||Embeds are served over HTTPS if the oEmbed
> endpoint uses HTTPS
> ([https://www.dailymotion.com/services/oembed?url=https://www.dailymotion.com/video
> /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
> end_news example])||
> ||dai.ly||'''No'''||'''[http://www.dailymotion.com/services/oembed?url=https://dai.ly
> /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
> end_news No]'''||-||Invalid SSL certificate (points to dailymotion.com)||
> ||smugmug.com||Yes||[http://api.smugmug.com/services/oembed?url=https://gilmarphotography.smugmug.com/Galleries
> /Hamburger-Hat/i-TtMhZ3v/A&format=json Yes]||'''No'''||-||
> ||hulu.com||Yes||[http://www.hulu.com/api/oembed.json?url=https://www.hulu.com/watch/647281
> Yes]||'''No'''||Invalid SSL certificate (points to Akamai)||
> ||revision3.com||'''No'''||'''[https://revision3.com/api/oembed?url=https://revision3.com/sourcefednerd
> /game-of-thrones-the-watchers-on-the-wall-reviewed/ No]'''||-||Mixed
> content when viewing the site over HTTPS.||
> ||photobucket.com||'''No'''||[http://photobucket.com/oembed?url=https://i199.photobucket.com/albums/aa117/vchartman/weather/bearintherain-1.gif
> Yes]||'''No'''||Site doesn't resolve over HTTPS||
> ||scribd.com||Yes||'''[http://www.scribd.com/services/oembed?format=json&url=https%3A%2F%2Fwww.scribd.com%2Fdoc%2F65793063
> %2FMuestra-Comic-Asterix-II No]'''||-||HTTPS site redirects to HTTP
> site||
> ||poll.fm||Yes||[https://polldaddy.com/oembed/?url=https://poll.fm/4tzp6
> Yes]||Yes||Invalid SSL certificate (points to polldaddy.com)||
> ||funnyordie.com||Yes||[http://www.funnyordie.com/oembed?url=https%3A%2F%2Fwww.funnyordie.com%2Fvideos%2F82e2ad3eaa
> %2Fthrowing-shade-47-summer-vacay-and-guest-mo&format=json
> Yes]||'''No'''||Invalid SSL certificate (points to Akamai)||
> ||instagram.com||'''No'''||'''[http://api.instagram.com/oembed?url=https://instagram.com/p/rR9ZOSCjc_/
> No]'''||-||HTTPS site redirects to HTTP||
> ||instagr.am||'''No'''||'''[http://api.instagram.com/oembed?url=https://instagr.am/p/rR9ZOSCjc_/
> No]'''||-||Invalid SSL certificate (points to instagram.com)||
> ||imgur.com||Yes||[http://api.imgur.com/oembed?url=https://imgur.com/gallery/9dlrs
> Yes]||'''No'''||-||
> ||meetu.ps||Yes||?||?||?||
> ||collegehumor.com||Yes||[http://www.collegehumor.com/oembed.json?url=https://www.collegehumor.com/video/6970155
> /collegehumor-all-nighter-14-batman-of-the-office Yes]||'''No'''||-||
> ||ted.com||Yes||[http://www.ted.com/talks/oembed.json?url=https://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke_of_insight.html
> Yes]||Yes||Almost there, just some mixed content in embeds||
>
> Recently fixed providers:
>
>  * '''flic.kr'''
>  * '''slideshare.net'''
>  * '''wordpress.tv'''
>  * '''meetup.com'''
>
> Ok providers:
>
>  * '''youtube.com''' and '''youtu.be''' - SSL embeds via the
> `scheme=https` parameter.
>  * '''vimeo.com''' - Embeds are protocol-relative.
>  * '''flickr.com''' - SSL everywhere (same for flic.kr).
>  * '''polldaddy.com''' - Embeds are served over SSL if the parent
> container uses SSL. Effectively protocol-relative via JavaScript.
>  * '''twitter.com''' - SSL everywhere.
>  * '''soundcloud.com''' - SSL everywhere. (Minor note: their oEmbed
> response includes an `http` URL for the thumbnail on their CDN, but it
> resolves over `https` if you change it.)
>  * '''rdio.com''' and '''rd.io''' - SSL embeds by default.
>  * '''spotify.com''' - SSL everywhere.
>  * '''issuu.com''' - Embeds are served over SSL if the parent container
> uses SSL. Effectively protocol-relative via JavaScript.
>  * '''mixcloud.com''' - Embeds are protocol-relative.

New description:

 We need to audit our oEmbed providers and determine:

  * Which ones don't support embedding an `https` URL
  * Which ones don't support embedding content over SSL

 If we have providers in core which do not support embedding content over
 SSL then we (or the WP.com team) should make contact and see if they're
 open to implementing it. This is pretty much a prerequisite for #28249 as
 it stands.

 ----

 Problem providers:

 ||=Provider=||=Core supports HTTPS URL=||=Endpoint recognises HTTPS
 URL=||=Embed supports HTTPS=||=Notes=||
 ||blip.tv||'''No'''||'''[http://blip.tv/oembed?url=https://blip.tv/stylestar/shine-6866879
 No]'''||-||Their website resolves over SSL but is broken||
 ||dailymotion.com||Yes||[http://www.dailymotion.com/services/oembed?url=https://www.dailymotion.com/video
 /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
 end_news Yes]||Nearly||Embeds are served over HTTPS if the oEmbed endpoint
 uses HTTPS
 ([https://www.dailymotion.com/services/oembed?url=https://www.dailymotion.com/video
 /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
 end_news example])||
 ||dai.ly||'''No'''||'''[http://www.dailymotion.com/services/oembed?url=https://dai.ly
 /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
 end_news No]'''||-||Invalid SSL certificate (points to dailymotion.com)||
 ||smugmug.com||Yes||[http://api.smugmug.com/services/oembed?url=https://gilmarphotography.smugmug.com/Galleries
 /Hamburger-Hat/i-TtMhZ3v/A&format=json Yes]||'''No'''||-||
 ||hulu.com||Yes||[http://www.hulu.com/api/oembed.json?url=https://www.hulu.com/watch/647281
 Yes]||'''No'''||Invalid SSL certificate (points to Akamai)||
 ||revision3.com||'''No'''||'''[https://revision3.com/api/oembed?url=https://revision3.com/sourcefednerd
 /game-of-thrones-the-watchers-on-the-wall-reviewed/ No]'''||-||Mixed
 content when viewing the site over HTTPS.||
 ||photobucket.com||'''No'''||[http://photobucket.com/oembed?url=https://i199.photobucket.com/albums/aa117/vchartman/weather/bearintherain-1.gif
 Yes]||'''No'''||Site doesn't resolve over HTTPS||
 ||scribd.com||Yes||'''[http://www.scribd.com/services/oembed?format=json&url=https%3A%2F%2Fwww.scribd.com%2Fdoc%2F65793063
 %2FMuestra-Comic-Asterix-II No]'''||-||HTTPS site redirects to HTTP site||
 ||poll.fm||Yes||[https://polldaddy.com/oembed/?url=https://poll.fm/4tzp6
 Yes]||Yes||Invalid SSL certificate (points to polldaddy.com)||
 ||funnyordie.com||Yes||[http://www.funnyordie.com/oembed?url=https%3A%2F%2Fwww.funnyordie.com%2Fvideos%2F82e2ad3eaa
 %2Fthrowing-shade-47-summer-vacay-and-guest-mo&format=json
 Yes]||'''No'''||Invalid SSL certificate (points to Akamai)||
 ||instagram.com||'''No'''||'''[http://api.instagram.com/oembed?url=https://instagram.com/p/rR9ZOSCjc_/
 No]'''||-||HTTPS site redirects to HTTP||
 ||instagr.am||'''No'''||'''[http://api.instagram.com/oembed?url=https://instagr.am/p/rR9ZOSCjc_/
 No]'''||-||Invalid SSL certificate (points to instagram.com)||
 ||imgur.com||Yes||[http://api.imgur.com/oembed?url=https://imgur.com/gallery/9dlrs
 Yes]||'''No'''||-||
 ||meetu.ps||Yes||?||?||?||
 ||collegehumor.com||Yes||[http://www.collegehumor.com/oembed.json?url=https://www.collegehumor.com/video/6970155
 /collegehumor-all-nighter-14-batman-of-the-office Yes]||'''No'''||-||
 ||ted.com||Yes||[http://www.ted.com/talks/oembed.json?url=https://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke_of_insight.html
 Yes]||Yes||Almost there, just some mixed content in embeds||

 Recently fixed providers:

  * '''flic.kr'''
  * '''slideshare.net'''
  * '''wordpress.tv'''
  * '''meetup.com'''

 Ok providers:

  * '''youtube.com''' and '''youtu.be''' - SSL embeds via the
 `scheme=https` parameter.
  * '''vimeo.com''' - Embeds are protocol-relative.
  * '''flickr.com''' - SSL everywhere (same for flic.kr).
  * '''polldaddy.com''' - Embeds are served over SSL if the parent
 container uses SSL. Effectively protocol-relative via JavaScript.
  * '''twitter.com''' - SSL everywhere.
  * '''soundcloud.com''' - SSL everywhere. (Minor note: their oEmbed
 response includes an `http` URL for the thumbnail on their CDN, but it
 resolves over `https` if you change it.)
  * '''rdio.com''' and '''rd.io''' - SSL embeds by default.
  * '''spotify.com''' - SSL everywhere.
  * '''issuu.com''' - Embeds are served over SSL if the parent container
 uses SSL. Effectively protocol-relative via JavaScript.
  * '''mixcloud.com''' - Embeds are protocol-relative.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28507#comment:36>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list