Make WordPress Core

Opened 2 years ago

Last modified 14 months ago

#39097 reopened defect (bug)

Links in embeds can't be opened in a new tab

Reported by: smerriman Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.4
Component: Embeds Keywords: needs-patch needs-testing
Focuses: Cc:


While reading https://make.wordpress.org/core/2016/12/05/wordpress-4-7-field-guide/, which contains many embeds, I wanted to open up all items of interest in new tabs so I could read through them.

In Firefox, mousewheel-clicking, ctrl-clicking, or right clicking a link in an embed immediately opens the link in the same tab (in the last case, without the normal right click menu appearing at all).

In Chrome, mousewheel-clicking does nothing; ctrl-clicking opens it in the same tab, while right clicking does work.

This appears to all be caused by the sandbox attribute on the iframe.

Not allowing the link to open in a new tab seems very wrong, especially when multiple embeds are in a post.

Change History (16)

#1 @swissspidy
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #35239.

#2 @johnbillion
2 years ago

  • Keywords needs-patch needs-testing added
  • Milestone set to Awaiting Review
  • Resolution duplicate deleted
  • Status changed from closed to reopened

This is not actually a duplicate of #35239. The bug reported is that it's not possible to use ctrl/cmd click to open a link in an embed in a new tab.

This behaviour can be seen in the 4.7 field guide post at https://make.wordpress.org/core/2016/12/05/wordpress-4-7-field-guide/ where the bug was also reported in the comments.

#3 @swissspidy
2 years ago

Cmd+click and why it's not possible right now has been discussed in exactly this ticket, even though the inital question was about making that the default behaviour. Anyway, worth a read.

#4 @smerriman
2 years ago

Yep, the other ticket contains details on the same issue. This feels like a pretty major flaw of embeds though.

Website owners often add target="_blank" to try to "keep people on their site" - this is of course a bad thing to do as discussed in the other ticket. However, having a feature which *forces* someone off their site, highly unexpectedly, and disables the right click context menu feels even worse. I can't imagine any site owner would want to use embeds if they knew this would be the result.

I'm sure there were good reasons for hijacking the links in the way done currently, but most uses of iframes would never require this (think, say, Twitter embeds) - does the gain outweigh the cost?

Last edited 2 years ago by smerriman (previous) (diff)

#5 @swissspidy
2 years ago

I'm sure there were good reasons for hijacking the links in the way done currently, but most uses of iframes would never require this (think, say, Twitter embeds) - does the gain outweigh the cost?

The problem is, when you embed tweets you know they come from a trusted source. With oEmbed discovery, you can basically embed any website, which makes it quite dangerous. Using JavaScript trickery, one could easily trick visitors into visiting sites they didn't intend to visit. That's why currently you can only click on links leading to the same host.

In #35239 I shared an idea on how to resolve this and enable opening links in a new tab by using cmd/ctrl click and why it's not possible right now. Hence my point that this ticket here is a duplicate.

#6 @swissspidy
2 years ago

  • Version set to 4.4

#7 @newsplugin.com
22 months ago

What about the right button? I understand that there may be problems when opening links, but I see no reason why right button default functionality of context menu need to be disabled. Ever.

#8 @swissspidy
22 months ago

@newsplugin.com As far as I can tell, there's no problem with the context menu. You should be able to right click -> open in new tab without problems. Browsers will handle this differently and won't execute our JavaScript in that case. The problem is just with cmd/ctrl + click.

#9 @smerriman
22 months ago

Nope, it still definitely affects right clicking, as mentioned in my original ticket. In Firefox, the behaviour appears to have changed slightly; I now see the context menu appear, but the link starts loading instantly at the same time, so I quickly end up on the wrong page.

#10 @Mte90
17 months ago

I tried to replicate right now but seems that oembed are disabled in the page on the first comment.

#11 @swissspidy
17 months ago

@Mte90 You can simply embed a post on your local blog in another post to test embeds.

#12 @Mte90
14 months ago

After a little bit of testing seems that to enable from an iframe to open a link in a new tab is something that need to be changed in the content of the link of the iframe.
For a purpose of security need a little bit of javascript hacking. So the only way is to inject a little bit of JS in every page that contain the embed, is something fine on WordPress?

#13 @swissspidy
14 months ago

@Mte90 I'm not sure I fully understand your proposal. The problem with this ticket right now is that embeds need to change their postMessage() calls in a way that they're not backward compatible with the current way. Instead of just sending the URL being clicked, they also need to send whether the tab should open in a new window or not. However, opening links in a new window via JavaScript is usually blocked by browsers. That's why this tickets sounds more like a wontfix to me.

If you want to completely allow shift-clicks for links on your site, you'd probably have to remove the sandbox attributes from the iframe HTML and adjust the JS to not use postMessage() for the links.

#14 @smerriman
14 months ago

Even if you're fine with the idea of disabling shift-click or control click, the broken right-click context menu in Firefox surely still has to be considered a bug that needs fixing. I am still able to replicate this - right clicking shows the context menu, but immediately starts loading the link I right-clicked on.

Last edited 14 months ago by smerriman (previous) (diff)

#15 @Mte90
14 months ago

Yes, we need to hack from javascript and changing the embed itself (sorry for my explanation).
Also for the fix probably of Firefox that (on right click) open the link (happen also to me) require a fix in the embed.
Probably is better to open a ticket for the make website and not on WordPress because is something that we cannot handle so quite easily from the page.

#16 @smerriman
14 months ago

Also, I'm not actually sure why the issue of browsers blocking links from opening in a new window is an issue.

If the browser allows it, everything works fine.
If the browser disallows it, nothing happens.

Nothing happening is better than something completely unexpected happening.

(Or probably not even nothing; an alert that a new window popping up has been blocked, which you can probably then unblock.)

Last edited 14 months ago by smerriman (previous) (diff)
Note: See TracTickets for help on using tickets.