#34588 closed enhancement (wontfix)
Add a filter to disable non-SSL embeds on SSL sites
Reported by: | pento | Owned by: | pento |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Embeds | Keywords: | |
Focuses: | Cc: |
Attachments (1)
Change History (14)
#1
@
9 years ago
- Keywords has-patch 2nd-opinion added
- Owner set to pento
- Status changed from new to assigned
#2
@
9 years ago
How about allow_insecure_embeds
? (Chrome is using --allow-running-insecure-content
)
#3
@
9 years ago
Shouldn't it be something like allow_insecure_embed_previews
or something since this is specifically about editor previews and not embeds themselves?
#4
follow-up:
↓ 5
@
9 years ago
Are you talking about just the preview or for the embed in general?
The current message is mainly for sites that use HTTPS in the admin area but HTTP on the front end.
#5
in reply to:
↑ 4
@
9 years ago
Replying to johnbillion:
Are you talking about just the preview or for the embed in general?
The current message is mainly for sites that use HTTPS in the admin area but HTTP on the front end.
What happens when your site is HTTPS-only and you try to insert an HTTP URL? Is the message shown as well?
#6
@
9 years ago
- Keywords 2nd-opinion removed
Thanks for the feedback, everyone!
@extendwings: Thanks for the name suggestion, I'll go with that.
I've also moved the filter to WP_Embed::shortcode()
, so that insecure embeds can be completely disabled in both the editor and the frontend.
#8
@
9 years ago
- Keywords 2nd-opinion added; has-patch removed
- Resolution fixed deleted
- Status changed from closed to reopened
I'm not sure that this filter is really functioning as intended.
Embedding an HTTP URL often results in an HTTPS URL being returned from the oEmbed provider, as many of the providers force HTTPS on their sites.
The logic around the allow_insecure_embeds
filter only checks the requested embed URL, which means embedding a URL such as http://instagr.am/p/MRM3HQy6kh/
is blocked if the allow_insecure_embeds
filter returns false, even though the response from Instagram's oEmbed endpoint contains an HTTPS iframe.
In addition, the phrase "cannot be embedded securely" doesn't appear in core. It looks like this functionality has been removed. Currently looking into it.
#9
@
9 years ago
Okay the failure text now reads %s failed to embed
, where %
is the URL.
I still don't think this filter does what you would expect. When it returns false, it prevents any non-HTTPS URL from being embedded, even though the response from the oEmbed provider may well be a perfectly secure HTTPS response.
#10
@
9 years ago
- Keywords 2nd-opinion removed
That's an excellent point.
On further consideration, this would be far better done in the embed_oembed_html
filter, instead. I'll revert [35640], because it really doesn't do what it says it does.
34588.diff adds a filter, but I'm not 100% sure about the
allow_non_ssl_embeds
name - it implies disabling non-SSL embeds under all circumstances.I would like some more opinions on which colour to paint this bikeshed.