[wp-trac] [WordPress Trac] #58120: oEmbed Mastodon

WordPress Trac noreply at wordpress.org
Thu Apr 13 23:50:19 UTC 2023 

#58120: oEmbed Mastodon
-----------------------------+------------------------------
 Reporter:  mediaformat      |       Owner:  (none)
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Embeds           |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by Otto42):

 The problem is indeed on Mastodon's side, and it's due to their use of the
 crossorigin attribute.

 Example taken from here: https://pluginmachine.com/test-maston-embed/

 The actual embedded iframe is this one.
 `<iframe class="wp-embedded-content" sandbox="allow-scripts"
 security="restricted"
 src="https://mastodon.social/@Josh412/110191480902863091/embed#?secret=Axzy6A59eJ"
 data-secret="Axzy6A59eJ" width="500" height="750"></iframe>`

 The actual content of that iframe looks like this for various scripts and
 style sheets.
 `<link rel="stylesheet" media="all" crossorigin="anonymous"
 href="/packs/css/common-a844dc34.css"
 integrity="sha256-P7jsS35wKfKZ7egDM6otdXk7d8JjmsE5i9R8SD1vD8s=">`

 That `crossorigin="anonymous"` attribute is forcing this request to be a
 CORS request. Which is indeed understandable...

 The problem is that the actual serving of the CSS or JS file does not
 contain the 'Access-Control-Allow-Origin' header On those files responses
 from the server. Whether the files are static or generated by Mastodon is
 irrelevant because that is a required header when you force the request to
 be a CORS request.

 If they removed that attribute entirely and left it out then possibly that
 request would work. However, leaving it there or empty is forcing the
 issue to make it a CORS request. Therefore, Mastodon needs to control the
 output of the headers such that all files are served with the proper
 headers.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58120#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list