[wp-trac] [WordPress Trac] #28507: Secure oEmbeds
WordPress Trac
noreply at wordpress.org
Sat Sep 26 12:17:50 UTC 2015
#28507: Secure oEmbeds
----------------------------+-----------------------------
Reporter: johnbillion | Owner: johnbillion
Type: task (blessed) | Status: accepted
Priority: normal | Milestone: Future Release
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+-----------------------------
Description changed by johnbillion:
Old description:
> We need to audit our oEmbed providers and determine:
>
> * Which ones don't support embedding an `https` URL
> * Which ones don't support embedding content over SSL
>
> If we have providers in core which do not support embedding content over
> SSL then we (or the WP.com team) should make contact and see if they're
> open to implementing it. This is pretty much a prerequisite for #28249 as
> it stands.
>
> ----
>
> Problem providers:
>
> ||=Provider=||=Core supports HTTPS URL=||=Endpoint recognises HTTPS
> URL=||=Embed supports HTTPS=||=Notes=||
> ||dai.ly||'''No'''||'''[http://www.dailymotion.com/services/oembed?url=https://dai.ly
> /x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
> end_news No]'''||-||Invalid SSL certificate (points to dailymotion.com)||
> ||hulu.com||Yes||[http://www.hulu.com/api/oembed.json?url=https://www.hulu.com/watch/647281
> Yes]||'''No'''||Invalid SSL certificate (points to Akamai)||
> ||photobucket.com||'''No'''||[http://photobucket.com/oembed?url=https://i199.photobucket.com/albums/aa117/vchartman/weather/bearintherain-1.gif
> Yes]||'''No'''||Site doesn't resolve over HTTPS||
> ||poll.fm||Yes||[https://polldaddy.com/oembed/?url=https://poll.fm/4tzp6
> Yes]||Yes||Invalid SSL certificate (points to polldaddy.com)||
> ||instagr.am||Yes||'''[https://api.instagram.com/oembed?url=https://instagr.am/p/rR9ZOSCjc_/
> Yes]'''||-||Invalid SSL certificate (points to instagram.com)||
> ||collegehumor.com||Yes||[http://www.collegehumor.com/oembed.json?url=https://www.collegehumor.com/video/6970155
> /collegehumor-all-nighter-14-batman-of-the-office Yes]||'''No'''||-||
> ||ted.com||Yes||[http://www.ted.com/talks/oembed.json?url=https://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke_of_insight.html
> Yes]||Yes||Almost there, just some mixed content in embeds||
> ||animoto.com||Yes||[http://animoto.com/oembeds/create?url=https://animoto.com/play/MlRRgXHhoT8gOZyHanM6TA&format=json
> Yes]||Yes||HTTPS embeds by default, but mixed content when playing an
> embed||
> ||video214.com||Yes||[http://animoto.com/oembeds/create?url=https://video214.com/play/MlRRgXHhoT8gOZyHanM6TA&format=json
> Yes]||Yes||HTTPS embeds by default, but mixed content when playing an
> embed||
> ||kck.st||Yes||[https://www.kickstarter.com/services/oembed?url=https://kck.st/1zdKEWP
> Yes]||-||Domain isn't available over HTTPS||
>
> Recently fixed providers:
>
> * '''flic.kr''' - HTTPS everywhere. Regex corrected in r28834.
> * '''slideshare.net''' - HTTPS embeds since r28834.
> * '''wordpress.tv''' - HTTPS embeds for HTTPS URLs.
> * '''meetup.com''' and '''meetu.ps'''- HTTPS embeds for HTTPS URLs.
> * '''instagram.com''' - HTTPS everywhere since r31710.
> * '''dailymotion.com''' - Uses the HTTPS oEmbed endpoint since r34587.
> * '''smugmug.com''' - Embeds now use HTTPS by default.
> * '''funnyordie.com''' - Embeds are now protocol-relative and cert is
> now valid.
> * '''imgur.com''' - Embeds are now protocol-relative.
>
> Ok providers:
>
> * '''youtube.com''' and '''youtu.be''' - HTTPS embeds via the
> `scheme=https` parameter.
> * '''vimeo.com''' - Embeds are protocol-relative.
> * '''flickr.com''' - HTTPS everywhere (same for flic.kr).
> * '''polldaddy.com''' - Embeds are served over HTTPS if the parent
> container uses HTTPS. Effectively protocol-relative via JavaScript.
> * '''twitter.com''' - HTTPS everywhere.
> * '''soundcloud.com''' - HTTPS everywhere. (Minor note: their oEmbed
> response includes an `http` URL for the thumbnail on their CDN, but it
> resolves over `https` if you change it.)
> * '''rdio.com''' and '''rd.io''' - HTTPS embeds by default.
> * '''spotify.com''' - HTTPS everywhere.
> * '''issuu.com''' - Embeds are served over HTTPS if the parent container
> uses HTTPS. Effectively protocol-relative via JavaScript.
> * '''mixcloud.com''' - Embeds are protocol-relative.
> * '''tumblr.com''' - Embeds are partly HTTPS and partly protocol-
> relative.
> * '''vine.co''' - HTTPS everywhere.
> * '''scribd.com''' - HTTPS embeds by default.
New description:
We need to audit our oEmbed providers and determine:
* Which ones don't support embedding an `https` URL
* Which ones don't support embedding content over SSL
If we have providers in core which do not support embedding content over
SSL then we (or the WP.com team) should make contact and see if they're
open to implementing it. This is pretty much a prerequisite for #28249 as
it stands.
----
Problem providers:
||=Provider=||=Core supports HTTPS URL=||=Endpoint recognises HTTPS
URL=||=Embed supports HTTPS=||=Notes=||
||dai.ly||'''No'''||'''[http://www.dailymotion.com/services/oembed?url=https://dai.ly
/x1z6k7r_putin-says-ukrainian-gas-price-demands-force-talks-into-dead-
end_news No]'''||-||Invalid SSL certificate (points to dailymotion.com)||
||hulu.com||Yes||[http://www.hulu.com/api/oembed.json?url=https://www.hulu.com/watch/647281
Yes]||'''No'''||Invalid SSL certificate (points to Akamai)||
||photobucket.com||'''No'''||[http://photobucket.com/oembed?url=https://i199.photobucket.com/albums/aa117/vchartman/weather/bearintherain-1.gif
Yes]||'''No'''||Site doesn't resolve over HTTPS||
||poll.fm||Yes||[https://polldaddy.com/oembed/?url=https://poll.fm/4tzp6
Yes]||Yes||Invalid SSL certificate (points to polldaddy.com)||
||instagr.am||Yes||'''[https://api.instagram.com/oembed?url=https://instagr.am/p/rR9ZOSCjc_/
Yes]'''||-||Invalid SSL certificate (points to instagram.com)||
||ted.com||Yes||[http://www.ted.com/talks/oembed.json?url=https://www.ted.com/talks/jill_bolte_taylor_s_powerful_stroke_of_insight.html
Yes]||Yes||Almost there, just some mixed content in embeds||
||animoto.com||Yes||[http://animoto.com/oembeds/create?url=https://animoto.com/play/MlRRgXHhoT8gOZyHanM6TA&format=json
Yes]||Yes||HTTPS embeds by default, but mixed content when playing an
embed||
||video214.com||Yes||[http://animoto.com/oembeds/create?url=https://video214.com/play/MlRRgXHhoT8gOZyHanM6TA&format=json
Yes]||Yes||HTTPS embeds by default, but mixed content when playing an
embed||
||kck.st||Yes||[https://www.kickstarter.com/services/oembed?url=https://kck.st/1zdKEWP
Yes]||-||Domain isn't available over HTTPS||
Recently fixed providers:
* '''flic.kr''' - HTTPS everywhere. Regex corrected in r28834.
* '''slideshare.net''' - HTTPS embeds since r28834.
* '''wordpress.tv''' - HTTPS embeds for HTTPS URLs.
* '''meetup.com''' and '''meetu.ps'''- HTTPS embeds for HTTPS URLs.
* '''instagram.com''' - HTTPS everywhere since r31710.
* '''dailymotion.com''' - Uses the HTTPS oEmbed endpoint since r34587.
* '''smugmug.com''' - Embeds now use HTTPS by default.
* '''funnyordie.com''' - Embeds are now protocol-relative and cert is now
valid.
* '''imgur.com''' - Embeds are now protocol-relative.
* '''collegehumor.com''' - HTTPS embeds for HTTPS URLs.
Ok providers:
* '''youtube.com''' and '''youtu.be''' - HTTPS embeds via the
`scheme=https` parameter.
* '''vimeo.com''' - Embeds are protocol-relative.
* '''flickr.com''' - HTTPS everywhere (same for flic.kr).
* '''polldaddy.com''' - Embeds are served over HTTPS if the parent
container uses HTTPS. Effectively protocol-relative via JavaScript.
* '''twitter.com''' - HTTPS everywhere.
* '''soundcloud.com''' - HTTPS everywhere. (Minor note: their oEmbed
response includes an `http` URL for the thumbnail on their CDN, but it
resolves over `https` if you change it.)
* '''rdio.com''' and '''rd.io''' - HTTPS embeds by default.
* '''spotify.com''' - HTTPS everywhere.
* '''issuu.com''' - Embeds are served over HTTPS if the parent container
uses HTTPS. Effectively protocol-relative via JavaScript.
* '''mixcloud.com''' - Embeds are protocol-relative.
* '''tumblr.com''' - Embeds are partly HTTPS and partly protocol-
relative.
* '''vine.co''' - HTTPS everywhere.
* '''scribd.com''' - HTTPS embeds by default.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28507#comment:58>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list