WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #32522, comment 33


Ignore:
Timestamp:
07/16/2015 02:08:54 AM (6 years ago)
Author:
WraithKenny
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #32522, comment 33

    initial v1  
    11I'm thinking that if the technology is there, the decisions would be up to the users (opt in, site by site basis). The user of Site A would make the choice to enable oembed (off by default), considering for herself whether her server could handle the load (if iframes are used) and the user of Site B would make the informed decision of whether to trust Site A's embed content, and if so, add it to their own locally extended whitelist. This frees us from those concerns that you've outlined (even sanitation concerns: we don't sanitize YouTube do we?).
    22
     3In other words, don't enable the oembed provider by default, and don't add any sites to the whitelist. Let the admins enable those.
     4
    35Our concerns would be for the opt in processes on both ends (UI, filters/actions) and the type of embed format (iframe, other, or both).