[wp-trac] [WordPress Trac] #55278: Fix Support for embed.ly with Odysee.com (half working)

WordPress Trac noreply at wordpress.org
Thu Mar 3 05:57:53 UTC 2022

#55278: Fix Support for embed.ly with Odysee.com (half working)
 Reporter:  tomatodysee  |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Embeds       |     Version:
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |     Focuses:  ui

Comment (by tomatodysee):

 Replying to [comment:2 peterwilsoncc]:
 > Can you please answer each of the questions of the
 /#adding-new-oembed-providers checklist for adding new oEmbed providers]
 to the allow list?
 > The quickest way to get embeds working for your site would be to limit
 the HTML to the allowed list of tags for auto-discovery, this includes
 links, blockquotes and iframes with a limited set of attributes. See
 > For iframes, you'd also need to ensure any JavaScript and other code
 within the embed can be run in iframes with the attributes `sandbox
 ="allow-scripts" security="restricted"`.
 > By enabling auto-discovery, your site's embeds will work on both
 WordPress versions below 6.0 and you won't need to go through the
 checklist above.

 Hey Peter, thanks so much for the reply!

 From our research about how "allow same origin" works with sandboxing, it
 should be safe to use if site A and embed site B are on different domains.
 Source: https://stackoverflow.com/questions/28332829/can-an-iframe-
 release-itself-from-allow-same-origin /

 "Note, however, that you need to be very careful when dealing with framed
 content that comes from the same origin as the parent. If a page on
 https://example.com/ frames another page on the same origin with a sandbox
 that includes both the allow-same-origin and allow-scripts flags, then the
 framed page can reach up into the parent, and remove the sandbox attribute

 I have read other places that say it's not recommended, but they usually
 don't mention the same origin caveat.

 Do you have any more information on this?

 Right now our iframes fail with: ```Uncaught DOMException: Failed to read
 the 'cookie' property from 'Document': The document is sandboxed and lacks
 the 'allow-same-origin' flag.``` since we use cookies on the site.

Ticket URL: <https://core.trac.wordpress.org/ticket/55278#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list