Support » Requests and Feedback » oEmbed Iframes

  • In the oembed spec, (see it suggests that returned media should be placed inside an iframe to avoid XSS attacks. However, I have noticed in using this feature that wordpress doesn’t perform this function automatically.

    Instead, there is the concept of an oEmbed ‘whitelist’, which is a list of supported oEmbed providers.

    So I guess my question is, why did wordpress go down the whitelist route, rather than simply allow any embed provider, and check that the content returned was iframed to avoid the security issue?



Viewing 6 replies - 1 through 6 (of 6 total)
  • “This is to prevent accidental embedding from malicious websites.”

    You can actually add you own oembeds 🙂

    Check out

    And there’s a plugin to use any oembed provider.

    Hi Mika,

    Actually, that wasn’t my question, but thanks for attempting an answer.

    What I am asking is this: there are clearly two different approaches to securing oEmbed, the whitelist approach (which wordpress uses) and the iframe approach (as detailed on the site). Why has WordPress chosen the former?

    From my limited understanding, it seems a weaker solution to me as it requires the maintenance of the whitelist, but I expect I am missing something.



    Why has WordPress chosen the former?

    I did answer:

    “This is to prevent accidental embedding from malicious websites.”

    That’s the answer.

    I’m pretty sure you’re aware of the difference between me asking “what is the point of feature X?” and “why is feature X implemented in a given way?”. So, I’ll just read your flippancy as that you don’t know.

    Does anyone else have an insight into this design decision? It seems to me a choice of quickest-to-implement over best, but the whole reason I am asking is that I may well be missing some of the finer detail on it.

    I wasn’t being flip. I was giving you the reason, security, without diving into the yonks and miles of discussion. You could look all that up if you wanted in trac 🙂 It started about three years ago in 2.9 –

    IMO, it’s becuase of XSS vulnerabilities.

    Iframes are a popular access point for XSS attacks, and by leaving them locked to just the site admins (who can still paste in Iframe, but no one else can), WP prevents the users from shooting themselves in the foot. Also, keep in mind that the same code you have on your site is what runs, so it’s to their benefit to prevent the thousands of bloggers from blasting everyone.

    Yes, we could parse the iframe, but that’s still slightly more risky. This way is nicely extendable, safe as houses, and compatible with everything.

    Awesome answer thanks!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘oEmbed Iframes’ is closed to new replies.