[wp-trac] [WordPress Trac] #32522: oEmbed WordPress Posts in WordPress Posts
WordPress Trac
noreply at wordpress.org
Thu Jul 16 18:30:47 UTC 2015
#32522: oEmbed WordPress Posts in WordPress Posts
-------------------------+------------------------------
Reporter: melchoyce | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration
-------------------------+------------------------------
Comment (by dmchale):
I think it's also the matter of trust, as was mentioned above. The current
process for being whitelisted as an oEmbed provider gets thrown out the
window if we suddenly start trusting the content of every link that comes
from a site built on WordPress, aka almost a quarter of the internet. And
if we're blindly looking for an endpoint without using the domain as a
means of trust, what's to stop someone from simply building a similar-
looking endpoint on a site that isn't even running WordPress, and sending
back whatever potentially-malicious content they please?
If I were a Bad Guy(tm), you can bet that the first thing I would do is
start figuring out how to get my code injecting into other people's sites
via oEmbed (*especially* if core implemented this as an enabled-by-default
feature and not just an option). Then you just wait for people to
link/embed to a site you control - by legitimate means or otherwise.
If anyone has a counter-point, I'd love to be proved wrong. I'm not seeing
it myself though.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32522#comment:37>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list