[wp-trac] [WordPress Trac] #55278: Fix Support for embed.ly with Odysee.com (half working)

WordPress Trac noreply at wordpress.org
Thu Mar 3 23:31:00 UTC 2022

#55278: Fix Support for embed.ly with Odysee.com (half working)
 Reporter:  tomatodysee  |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Embeds       |     Version:
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |     Focuses:  ui

Comment (by peterwilsoncc):

 The [https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
 #attr-sandbox sandbox attribute documentation] on MDN is pretty clear
 about this:

 > When the embedded document has the same origin as the embedding page, it
 is strongly discouraged to use both allow-scripts and allow-same-origin,
 **as that lets the embedded document remove the sandbox attribute** —
 making it no more secure than not using the sandbox attribute at all.

 (my emphasis)

 Locking down access to `window.parent` within auto-discovered embeds is
 quite intentional. The `sandbox` attribute's settings were discussed in
 #32522 but it's quite lengthy.

Ticket URL: <https://core.trac.wordpress.org/ticket/55278#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list