[wp-trac] [WordPress Trac] #55278: Fix Support for embed.ly with Odysee.com (half working)
WordPress Trac
noreply at wordpress.org
Thu Mar 3 05:57:53 UTC 2022
#55278: Fix Support for embed.ly with Odysee.com (half working)
-------------------------+------------------------------
Reporter: tomatodysee | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: ui
-------------------------+------------------------------
Comment (by tomatodysee):
Replying to [comment:2 peterwilsoncc]:
> Can you please answer each of the questions of the
[https://make.wordpress.org/core/handbook/contribute/design-decisions
/#adding-new-oembed-providers checklist for adding new oEmbed providers]
to the allow list?
>
> The quickest way to get embeds working for your site would be to limit
the HTML to the allowed list of tags for auto-discovery, this includes
links, blockquotes and iframes with a limited set of attributes. See
https://github.com/WordPress/wordpress-
develop/blob/107050f7a34d0b728e4c38bfc946e3339578ea6f/src/wp-
includes/embed.php#L921-L936
>
> For iframes, you'd also need to ensure any JavaScript and other code
within the embed can be run in iframes with the attributes `sandbox
="allow-scripts" security="restricted"`.
>
> By enabling auto-discovery, your site's embeds will work on both
WordPress versions below 6.0 and you won't need to go through the
checklist above.
Hey Peter, thanks so much for the reply!
From our research about how "allow same origin" works with sandboxing, it
should be safe to use if site A and embed site B are on different domains.
Source: https://stackoverflow.com/questions/28332829/can-an-iframe-
release-itself-from-allow-same-origin /
https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
"Note, however, that you need to be very careful when dealing with framed
content that comes from the same origin as the parent. If a page on
https://example.com/ frames another page on the same origin with a sandbox
that includes both the allow-same-origin and allow-scripts flags, then the
framed page can reach up into the parent, and remove the sandbox attribute
entirely."
I have read other places that say it's not recommended, but they usually
don't mention the same origin caveat.
Do you have any more information on this?
Right now our iframes fail with: ```Uncaught DOMException: Failed to read
the 'cookie' property from 'Document': The document is sandboxed and lacks
the 'allow-same-origin' flag.``` since we use cookies on the site.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55278#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list