[wp-trac] [WordPress Trac] #32522: oEmbed WordPress Posts in WordPress Posts

WordPress Trac noreply at wordpress.org
Thu Jul 16 18:30:47 UTC 2015


#32522: oEmbed WordPress Posts in WordPress Posts
-------------------------+------------------------------
 Reporter:  melchoyce    |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Embeds       |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration
-------------------------+------------------------------

Comment (by dmchale):

 I think it's also the matter of trust, as was mentioned above. The current
 process for being whitelisted as an oEmbed provider gets thrown out the
 window if we suddenly start trusting the content of every link that comes
 from a site built on WordPress, aka almost a quarter of the internet. And
 if we're blindly looking for an endpoint without using the domain as a
 means of trust, what's to stop someone from simply building a similar-
 looking endpoint on a site that isn't even running WordPress, and sending
 back whatever potentially-malicious content they please?

 If I were a Bad Guy(tm), you can bet that the first thing I would do is
 start figuring out how to get my code injecting into other people's sites
 via oEmbed (*especially* if core implemented this as an enabled-by-default
 feature and not just an option). Then you just wait for people to
 link/embed to a site you control - by legitimate means or otherwise.

 If anyone has a counter-point, I'd love to be proved wrong. I'm not seeing
 it myself though.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32522#comment:37>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list