Opened 7 years ago
Closed 7 years ago
#43136 closed defect (bug) (invalid)
WP_oEmbed_Controller->get_item() returns a blockquote without the data-secret attribute
Reported by: | imath | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.4 |
Component: | Embeds | Keywords: | has-patch has-unit-tests |
Focuses: | rest-api | Cc: |
Description
Hi,
Working on an issue with Gutenberg about self embed posts, i've noticed this Rest controller's callback (get_item()
) was not returning a reply containing the data-secret
attributes the wp-embed.js
script needs in order to hide the blockquote.
That's probably because the filter pre_oembed_result
is not fired. Resetting the $data['html']
using the wp_filter_pre_oembed_result()
is making sure the data-secret attribute is added when returning the reply.
Attachments (1)
Change History (4)
#3
@
7 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
The current behaviour of the endpoint is correct, the secret must to be added by the embedding site, not the embedded site.
If the embedded site were to provide a secret that the embedding site then trusted, it could potentially give a secret that another embed on the same page is using. That would allow the embedded site to break out of the iframe on page load (instead of when it's being interacted with), or prevent other embedded sites from functioning correctly.
I'm going to close this issue, and review the Gutenberg issue.
For some history: this goes all the way back to https://github.com/swissspidy/oEmbed-API/pull/27.
Shouldn't the
wp-embed.js
script add secrets if they're missing? If that's not working properly, I'd fix that in the JS.@pento Perhaps you remember this better than I do :-)