[wp-trac] [WordPress Trac] #58120: oEmbed Mastodon
WordPress Trac
noreply at wordpress.org
Wed Apr 12 22:02:13 UTC 2023
#58120: oEmbed Mastodon
-----------------------------+------------------------------
Reporter: mediaformat | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Embeds | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by johnbillion):
This appears to be a CORS problem, but I'm not yet sure why.
What's happening:
1. User wants to embed a toot
(`https://mastodon.social/@jk/110169910775357223` in the example from
@mediaformat) so pastes it into the editor, either directly or via the
Embed block.
2. Mastodon supports oEmbed auto-discovery, therefore that URL contains an
`application/json+oembed` link that points to an oEmbed endpoint:
https://mastodon.social/api/oembed?format=json&url=https%3A%2F%2Fmastodon.social%2F%40jk%2F110169910775357223
.
3. The `html` property in the oEmbed endpoint response includes an
`<iframe>` and a `<script>` tag. The iframe is allowed by the oEmbed
handler in WordPress and is outputted. The script tag isn't and therefore
gets stripped but it doesn't appear to matter because it's only there to
adjust the height of the contents of the iframe and doesn't affect the
main styling.
4. When the `<iframe>` is displayed on the page a CORS restriction
somewhere prevents its CSS and JS files from loading -- this is the actual
cause of the missing styles -- but I've not figured out the details yet.
CORS doesn't normally restrict CSS and JS files from loading within a
third party iframe.
Needs some more investigation.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58120#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list