WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#34588 closed enhancement (wontfix)

Add a filter to disable non-SSL embeds on SSL sites

Reported by: pento Owned by: pento
Milestone: Priority: normal
Severity: normal Version:
Component: Embeds Keywords:
Focuses: Cc:

Description

Sometimes, you just don't want this message to show:

https://i.cloudup.com/Hd9tok8t-s-2000x2000.png

(Ignore the Instagram URL, it's an old screen shot.)

Instead, a filter to disable non-SSL embeds on SSL sites would be handy.

Attachments (1)

34588.diff (1.0 KB) - added by pento 4 years ago.

Download all attachments as: .zip

Change History (14)

@pento
4 years ago

#1 @pento
4 years ago

  • Keywords has-patch 2nd-opinion added
  • Owner set to pento
  • Status changed from new to assigned

34588.diff adds a filter, but I'm not 100% sure about the allow_non_ssl_embeds name - it implies disabling non-SSL embeds under all circumstances.

I would like some more opinions on which colour to paint this bikeshed.

#2 @extendwings
4 years ago

How about allow_insecure_embeds? (Chrome is using --allow-running-insecure-content)

#3 @Viper007Bond
4 years ago

Shouldn't it be something like allow_insecure_embed_previews or something since this is specifically about editor previews and not embeds themselves?

#4 follow-up: @johnbillion
4 years ago

Are you talking about just the preview or for the embed in general?

The current message is mainly for sites that use HTTPS in the admin area but HTTP on the front end.

#5 in reply to: ↑ 4 @swissspidy
4 years ago

Replying to johnbillion:

Are you talking about just the preview or for the embed in general?

The current message is mainly for sites that use HTTPS in the admin area but HTTP on the front end.

What happens when your site is HTTPS-only and you try to insert an HTTP URL? Is the message shown as well?

#6 @pento
4 years ago

  • Keywords 2nd-opinion removed

Thanks for the feedback, everyone!

@extendwings: Thanks for the name suggestion, I'll go with that.

I've also moved the filter to WP_Embed::shortcode(), so that insecure embeds can be completely disabled in both the editor and the frontend.

#7 @pento
4 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 35640:

Embeds: Add the allow_insecure_embeds filter.

This allows a site to disable non-SSL embeds.

Fixes #34588.

#8 @johnbillion
4 years ago

  • Keywords 2nd-opinion added; has-patch removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

I'm not sure that this filter is really functioning as intended.

Embedding an HTTP URL often results in an HTTPS URL being returned from the oEmbed provider, as many of the providers force HTTPS on their sites.

The logic around the allow_insecure_embeds filter only checks the requested embed URL, which means embedding a URL such as http://instagr.am/p/MRM3HQy6kh/ is blocked if the allow_insecure_embeds filter returns false, even though the response from Instagram's oEmbed endpoint contains an HTTPS iframe.

In addition, the phrase "cannot be embedded securely" doesn't appear in core. It looks like this functionality has been removed. Currently looking into it.

#9 @johnbillion
4 years ago

Okay the failure text now reads %s failed to embed, where % is the URL.

I still don't think this filter does what you would expect. When it returns false, it prevents any non-HTTPS URL from being embedded, even though the response from the oEmbed provider may well be a perfectly secure HTTPS response.

#10 @pento
4 years ago

  • Keywords 2nd-opinion removed

That's an excellent point.

On further consideration, this would be far better done in the embed_oembed_html filter, instead. I'll revert [35640], because it really doesn't do what it says it does.

#11 @pento
4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 35702:

Embeds: Remove the allow_insecure_embeds filter.

This reverts [35640]. On further reflection, it really didn't do what it said it did.

Fixes #34588.

#12 @SergeyBiryukov
4 years ago

  • Milestone 4.4 deleted
  • Resolution changed from fixed to wontfix

This ticket was mentioned in Slack in #bbpress by netweb. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.