The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

oEmbed Iframes (7 posts)

  1. robmoffat
    Posted 4 years ago #

    In the oembed spec, (see oembed.com) it suggests that returned media should be placed inside an iframe to avoid XSS attacks. However, I have noticed in using this feature that wordpress doesn't perform this function automatically.

    Instead, there is the concept of an oEmbed 'whitelist', which is a list of supported oEmbed providers.

    So I guess my question is, why did wordpress go down the whitelist route, rather than simply allow any embed provider, and check that the content returned was iframed to avoid the security issue?



  2. "This is to prevent accidental embedding from malicious websites."

    You can actually add you own oembeds :)

    Check out http://codex.wordpress.org/Embeds

    And there's a plugin to use any oembed provider.

  3. robmoffat
    Posted 4 years ago #

    Hi Mika,

    Actually, that wasn't my question, but thanks for attempting an answer.

    What I am asking is this: there are clearly two different approaches to securing oEmbed, the whitelist approach (which wordpress uses) and the iframe approach (as detailed on the oEmbed.com site). Why has WordPress chosen the former?

    From my limited understanding, it seems a weaker solution to me as it requires the maintenance of the whitelist, but I expect I am missing something.



  4. Why has WordPress chosen the former?

    I did answer:

    "This is to prevent accidental embedding from malicious websites."

    That's the answer.

  5. robmoffat
    Posted 4 years ago #

    I'm pretty sure you're aware of the difference between me asking "what is the point of feature X?" and "why is feature X implemented in a given way?". So, I'll just read your flippancy as that you don't know.

    Does anyone else have an insight into this design decision? It seems to me a choice of quickest-to-implement over best, but the whole reason I am asking is that I may well be missing some of the finer detail on it.

  6. I wasn't being flip. I was giving you the reason, security, without diving into the yonks and miles of discussion. You could look all that up if you wanted in trac :) It started about three years ago in 2.9 - http://core.trac.wordpress.org/ticket/10337

    IMO, it's becuase of XSS vulnerabilities.

    Iframes are a popular access point for XSS attacks, and by leaving them locked to just the site admins (who can still paste in Iframe, but no one else can), WP prevents the users from shooting themselves in the foot. Also, keep in mind that the same code you have on your site is what runs WordPress.com, so it's to their benefit to prevent the thousands of bloggers from blasting everyone.

    Yes, we could parse the iframe, but that's still slightly more risky. This way is nicely extendable, safe as houses, and compatible with everything.

  7. robmoffat
    Posted 4 years ago #

    Awesome answer thanks!

Topic Closed

This topic has been closed to new replies.

About this Topic