Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#36301 closed enhancement (maybelater)

oEmbed whitelist for Knight Lab tools

Reported by: JoeGermuska Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Embeds Keywords: has-patch
Focuses: Cc:


I'm not clear on what considerations go into whitelisting oEmbed providers, but I offer this patch to support oEmbed for Knight Lab's internationally popular free javascript storytelling tools, TimelineJS, StoryMapJS, and JuxtaposeJS.

Attachments (1)

36301.diff (2.2 KB) - added by JoeGermuska 6 years ago.
oembed whitelist patch

Download all attachments as: .zip

Change History (5)

6 years ago

oembed whitelist patch

#1 @swissspidy
6 years ago

  • Keywords has-patch added

Hey there,

Welcome to trac and thanks for the patch!

There's a certain standard for oEmbed providers in core, see https://make.wordpress.org/core/handbook/contribute/design-decisions/#whitelisting-oembed-providers for more information. Answers to the questions on that page would be a good starting point.

It looks like oEmbed support for TimelineJS & Co. is quite new as I can't find any documentation about it. Besides that, the Knight Lab Timeline plugin has only ~2000 installs as of now.

Please note that as of version 4.4, WordPress has oEmbed auto-discovery turned on and allows <iframe> embeds through it (with some rules regarding security though).

#2 @JoeGermuska
6 years ago

@swissspidy thanks for that link. I spent a lot of time searching and I had a lot of trouble finding anything like that, but we'll take a look at it.

Auto-discovery is challenging for two of the three tools because, by circumstances of history, the same HTML page uses URL parameters to serves all renderings. We can only support discovery if the agents evaluate javascript on the page. We're evaluating re-engineering that, but aren't ready to commit the energy to that change just yet.

Also, for the one of the three where we render custom HTML for each project and can support auto-discovery, we've actually stumbled into a CORS problems with the security treatment -- the origin is sent as null. That's not your problem, of course, but if anyone reading this has pointers, I'm open to them.

More after I do my homework.

Version 0, edited 6 years ago by JoeGermuska (next)

#3 @chriscct7
5 years ago

  • Version trunk deleted

#4 @johnbillion
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to maybelater
  • Status changed from new to closed

I'm closing this as maybelater to aid with issue management. This doesn't mean we won't add support for knightlab.com, just that it's not mature enough at the moment. Discussion can continue while the ticket remains closed.

Note: See TracTickets for help on using tickets.