[wp-trac] [WordPress Trac] #34563: URL structure for providing oEmbed should be made easier to block at webserver

WordPress Trac noreply at wordpress.org
Wed Nov 4 10:13:50 UTC 2015 

#34563: URL structure for providing oEmbed should be made easier to block at
webserver
--------------------------+----------------------
 Reporter:  mark-k        |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Embeds        |     Version:  trunk
 Severity:  normal        |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by dd32):

 * status:  reopened => closed
 * resolution:   => invalid


Comment:

 This is easily blocked/handled in server configurations, however that is
 the wrong place to do so.

 I use something similar to the following (bad) nginx configuration lines
 to affect caching on my own site: (I'm only doing so for experimentation
 of how the feature works, not because it needs it - normal caching plugins
 still work great here)
 {{{
 if ( $request_uri ~* "/wp-json/oembed/|/embed/$" ) {
      # Magic happens here if they're using URL rewriting
 }
 if ( $request_uri ~* "\?rest_route=/oembed/|oembed=true" ) {
    # Magic for sites not using pretty permalinks
 }
 }}}

 > > The embed content also sends the HTTP header X-WP-embed: true. This
 can easily be used as the canonical method for blocking access to the
 embed content.
 > I doubt that drupal twitter or facebook will send that header.

 There's a bit of confusion here, that header is sent by WordPress on
 output, as a way for the server to change it's behaviour when serving the
 request, it shouldn't/can't be used for blocking the request. It's not
 available during the

 Ultimately you're doing it incredibly wrong if you're wanting to block
 this at the server level, you'll still have the tags on the page
 advertising the functionality. A plugin is the correct route of disabling
 it.


 The URL structures presented by WordPress are going to remain as-is, we're
 not going to create a single file for these requests to go through.
 Trac is not for support either, if you require specific help on how to
 configure your server to work as you want it to, try the
 [https://wordpress.org/support/ WordPress support forums] or ideally a
 support resource dedicated to your webserver of choice.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34563#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list