[wp-trac] [WordPress Trac] #52240: Add ActBlue as an oEmbed Provider

WordPress Trac noreply at wordpress.org
Fri Jan 8 19:11:45 UTC 2021 

#52240: Add ActBlue as an oEmbed Provider
-------------------------------------------------+-------------------------
 Reporter:  actblue                              |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Embeds                               |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  2nd-opinion reporter-feedback close  |     Focuses:
  needs-patch                                    |
-------------------------------------------------+-------------------------

Comment (by samueldcole):

 Hi!

 I'm a Software Engineer at ActBlue, and the lead engineer on the ActBlue
 embed form, and I cowrote this ticket.

 We would love if the oEmbed discovery would work out of the box, and I
 spent some time reducing our HTML snippet in the oEmbed response to the
 minimum `<iframe>`, however because our embed processes payments, we need
 a few things that the sanitizer removes:

 `allowpaymentrequest`: this allows Google Pay to process payments on
 Android devices without users needing to proceed through a bunch of forms,
 it wouldn't be a huge loss, but it does make the form easier and I'm not
 sure if there's an explicit reason that it's removed.

 `sandbox`: we use a full menu of `sandbox` attributes (`allow-storage-
 access-by-user-activation allow-scripts allow-same-origin allow-forms
 allow-popups`), which gets overwritten by `sandbox="allow-scripts"`)
 - `allow-storage-access-by-user-activations`: we use this to identify
 returning donors on Safari devices, which isn't critical, but it makes the
 form easier for those folks.
 - `allow-scripts`: *required*: since our whole embed is JavaScript/React
 app (but WordPress already includes this).
 - `allow-same-origin`: *required for accepting credit cards*: our internal
 PCI sandbox uses the document origin to establish a communication channel.
 - `allow-forms`: *required*: our whole embed is a form, and for
 accessibility we rely on traditional HTML `<form>` behavior.
 - `allow-popups`: *required for PayPal*: PayPal will spawn a popup to
 authenticate payments, additionally we have a few links that need to open
 in new windows. It might be ok to lose those, but a decent number of
 contributions come through PayPal.

 I believe the easiest path to making ActBlue urls embeddable through the
 Embed block is to allowlist our oembed provider so that it isn't subject
 to sanitization. However, if the embed sanitization allows for these
 attributes, it might be useful for other people with embeddable payment
 systems.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52240#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list