[wp-trac] [WordPress Trac] #28507: Secure oEmbeds
WordPress Trac
noreply at wordpress.org
Wed Jun 11 23:35:55 UTC 2014
#28507: Secure oEmbeds
----------------------------+------------------
Reporter: johnbillion | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+------------------
Comment (by johnbillion):
Well it's not looking good.
Problem providers:
* '''blip.tv''' - No support in core for `https` URL. No support for
embedding content over SSL
([https://blip.tv/oembed?url=https://blip.tv/stylestar/shine-6866879
example]). Their website resolves over SSL but is broken.
* '''dailymotion.com''' - No support for embedding content over SSL
([https://www.dailymotion.com/services/oembed?url=https://www.dailymotion.com/video
/x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
end_news example]).
* '''dai.ly''' - No support in core for `https` URL. SSL certificate is
invalid (dailymotion.com domain). No support for embedding content over
SSL (as above).
* '''flic.kr''' - No support in core for `https` URL. Everything else ok.
* '''smugmug.com''' - Invalid SSL certificate (points to an Akamai
domain). No support for embedding content over SSL
([http://api.smugmug.com/services/oembed?url=https://gilmarphotography.smugmug.com/Galleries
/Hamburger-Hat/i-TtMhZ3v/A example]).
* '''hulu.com''' - Invalid SSL certificate (points to an Akamai domain).
No support for embedding content over SSL
([http://www.hulu.com/api/oembed.json?url=https://www.hulu.com/watch/647281
example]).
* '''revision3.com''' - No support in core for `https` URL. No support
for embedding content over SSL
([https://revision3.com/api/oembed?url=https://revision3.com/sourcefednerd
/game-of-thrones-the-watchers-on-the-wall-reviewed/ example]). Mixed
content when viewing the site over SSL.
* '''photobucket.com''' - No support in core for `https` URL. Site
doesn't resolve over SSL
([https://photobucket.com/oembed?url=https://i199.photobucket.com/albums/aa117/vchartman/weather/bearintherain-1.gif
example]).
* '''scribd.com''' - SSL site redirects to HTTP site. No support for
embedding content over SSL
([http://www.scribd.com/services/oembed?format=json&url=https%3A%2F%2Fwww.scribd.com%2Fdoc%2F65793063
%2FMuestra-Comic-Asterix-II example]).
* '''wordpress.tv''' - No support in core for `https` URL. Invalid SSL
certificate (points to wordpress.com). No support for embedding content
over SSL ([http://wordpress.tv/oembed?url=https://wordpress.tv/2014/06/07
/andrew-nacin-wordcamp-connecticut-keynote/ example]).
* '''poll.fm''' - Invalid SSL certificate (points to polldaddy.com). No
support for embedding content over SSL
([https://polldaddy.com/oembed/?url=https://poll.fm/4tzp6 example] which
404s due to `https` scheme on poll.fm URL). Note that SSL for
polldaddy.com URLs are fine.
* '''funnyordie.com''' - Invalid SSL certificate (points to an Akamai
domain). No support for embedding content over SSL
([http://www.funnyordie.com/oembed?url=https%3A%2F%2Fwww.funnyordie.com%2Fvideos%2F82e2ad3eaa
%2Fthrowing-shade-47-summer-vacay-and-guest-mo&format=json example]).
* '''slideshare.net''' - Embeds are only served over SSL if `https` is
used for the oEmbed endpoint URL. All ok otherwise.
* '''instagram.com''' - No support in core for `https` URLs. SSL requests
to pages redirect to the `http` version. No support for embedding content
over SSL
([https://api.instagram.com/oembed?url=https://instagram.com/p/o_z7AlKyVw/
example]).
* '''instagr.am''' - Invalid SSL certificate (points to instagram.com).
No support in core for `https` URLs. No support for embedding content over
SSL
([https://api.instagram.com/oembed?url=https://instagr.am/p/o_z7AlKyVw/
example]).
* '''imgur.com''' - No support for embedding content over SSL
([https://api.imgur.com/oembed?url=https://imgur.com/gallery/9dlrs
example]).
* '''meetup.com''' - Site is broken over SSL. No support for embedding
content over SSL
([https://api.meetup.com/oembed?url=https://www.meetup.com/syncnorwich/events/168051512/
example] or broken API response vs.
[https://api.meetup.com/oembed?url=http://www.meetup.com/syncnorwich/events/168051512/
working example] for `http`).
* '''meetu.ps''' - Brokenly redirects to meetup.com over `http`. Same
embed problems as above.
* '''collegehumor.com''' - SSL requests to pages redirect to the `http`
version. No support for embedding content over SSL
([https://www.collegehumor.com/oembed.json?url=https://www.collegehumor.com/video/6970155
/collegehumor-all-nighter-14-batman-of-the-office example]).
* '''ted.com''' - No support for embedding content over SSL
([https://www.ted.com/talks/oembed.json?url=https://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke_of_insight.html
example]).
Ok providers (for reference):
* '''youtube.com''' and '''youtu.be''' - SSL embeds via the
`scheme=https` parameter.
* '''vimeo.com''' - Embeds are protocol-relative.
* '''flickr.com''' - SSL everywhere (same for flic.kr).
* '''polldaddy.com''' - Embeds are served over SSL if the parent
container uses SSL. Effectively protocol-relative via JavaScript.
* '''twitter.com''' - SSL everywhere.
* '''soundcloud.com''' - SSL everywhere. (Minor note: their oEmbed
response includes an `http` URL for the thumbnail on their CDN, but it
resolves over `https` if you change it.)
* '''rdio.com''' and '''rd.io''' - SSL embeds by default.
* '''spotify.com''' - SSL everywhere.
* '''issuu.com''' - Embeds are served over SSL if the parent container
uses SSL. Effectively protocol-relative via JavaScript.
* '''mixcloud.com''' - Embeds are protocol-relative.
Immediate task list:
* Add support for `https` URLs for flic.kr.
* Switch oEmbed endpoint to `https` for flickr.com, flic.kr, and
slideshare.net.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28507#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list