[wp-trac] [WordPress Trac] #43136: WP_oEmbed_Controller->get_item() returns a blockquote without the data-secret attribute
WordPress Trac
noreply at wordpress.org
Wed Jan 24 01:55:59 UTC 2018
#43136: WP_oEmbed_Controller->get_item() returns a blockquote without the data-
secret attribute
--------------------------------------+-----------------------
Reporter: imath | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Embeds | Version: 4.4
Severity: normal | Resolution: invalid
Keywords: has-patch has-unit-tests | Focuses: rest-api
--------------------------------------+-----------------------
Changes (by pento):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
The current behaviour of the endpoint is correct, the secret ''must'' to
be added by the embedding site, not the embedded site.
If the embedded site were to provide a secret that the embedding site
then trusted, it could potentially give a secret that another embed on the
same page is using. That would allow the embedded site to break out of the
iframe on page load (instead of when it's being interacted with), or
prevent other embedded sites from functioning correctly.
I'm going to close this issue, and review the Gutenberg issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43136#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list