Make WordPress Core

Opened 4 years ago

Closed 2 years ago

#52240 closed enhancement (wontfix)

Add ActBlue as an oEmbed Provider

Reported by: actblue's profile actblue Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Embeds Keywords: 2nd-opinion reporter-feedback close needs-patch
Focuses: Cc:

Description

Here is the ActBlue oEmbed endpoint: https://secure.actblue.com/cf/oembed
Here is an example query with a response: https://secure.actblue.com/cf/oembed?url=https://secure.actblue.com/donate/actblue-1-embed
The pattern for embeddable urls is: https://secure.actblue.com/donate/.*

  1. Is the service is popular enough for core developers to have heard of it before? Is it “mainstream?”

ActBlue is a well-established platform for progressive fundraising. In the last election cycle we processed a total of almost 127 million contributions with the total amount reaching 4.8 billion dollars.

  1. If similar services are already supported, how does this service compare in terms of size, features, and backing?

As far as we can tell there is not another oEmbed provider that provides contributions forms for progressive organizations and campaigns.

  1. Does this service have a large following on Twitter, Facebook, or other social media? Is its Twitter account verified?

ActBlue is both Instagram and Twitter verified. We currently have 40.6K followers on Twitter.

  1. Is its oEmbed endpoint clearly established and properly documented? (Sometimes, they are just a developer’s pet project that may not be supported.)

ActBlue do not have public facing developer documentation for the oEmbed endpoint but it follows the oEmbed spec. We plan to release developer documentation during this election cycle.

  1. Does the oEmbed endpoint work with WordPress’ oEmbed auto-discovery? If not, could it be made to work with additional HTML tags or attributes being whitelisted?

ActBlue's embed does not work with the WordPress auto-discovery because the filtering mechanisms remove the sandbox and allowpaymentrequest attributes necessary to process contributions.

  1. Does the service make an effort to build relationships with developers, such as through robust APIs?

ActBlue works closely with developers at various organizations and various campaigns.

  1. How old is the service?

ActBlue is 14 years old.

  1. Does it have a well-established Wikipedia article? (Seriously.)

Yes, ActBlue does have a well-established Wikipedia page: https://en.wikipedia.org/wiki/ActBlue

  1. Has anyone written a WordPress plugin that leverages the service in some way, whether adding it as an oEmbed provider, creating a shortcode, or leveraging other APIs of the service?

We just released our first WordPress plugin with the primary purpose of adding our oEmbed endpoint to the oEmbed Providers list. Our WordPress plugin can be found here: https://wordpress.org/plugins/actblue-contributions/

  1. Do these plugins have any noticeable adoption or traction that would indicate usage and demand?

ActBlue released our plugin publicly right before the holidays. We are planning a formal launch and announcement this month (January 2021).

  1. Is the provider frequently proposed?

ActBlue has received many requests for integrated forms, specifically from our nonprofit users on the WordPress platform.

Change History (18)

#1 @melchoyce
4 years ago

I've worked on a ton of candidate sites on WordPress over the past two years — core support for ActBlue's oembed endpoint would have been super helpful.

#2 @audrasjb
4 years ago

  • Keywords 2nd-opinion reporter-feedback added

Hello, welcome to WordPress Core Trac and thank you for opening this ticket!

Thank you for answering the questions, the submission sounds legit on my side. I have only one small concern about this proposal: maybe it's just me, but as a non US citizen, I feel a bit concerned about onboarding a very (only?) US-centered oEmbed provider/platform.

Last edited 4 years ago by audrasjb (previous) (diff)

#3 @peterwilsoncc
4 years ago

  • Keywords close added

I share @audrasjb's concern about adding such a US centric service to the oembed allow list, especially given it's targeting a fairly niche market of political campaign sites.

@actblue if you limit the iframe attributes to src, width, height, frameborder, marginwidth, marginheight, scrolling and title the built-in auto discovery service will allow for embeds automatically.

For now, I think it's best to keep an eye on the plugin to see if the installation base grows. It's currently very low but as it's only four weeks old, that doesn't really mean anything at this stage.

#4 @jorbin
4 years ago

I think this would be a good addition. While ActBlue is primarily used in one nation, we have other embed providers that are single nation-specific, namely the numerous Amazon endpoints. Further, in our design decisions document, the guidelines for core supported providers are:

  • be well-established, popular, and mainstream services,
  • properly and fully implement the oEmbed specification,
  • and clearly be a trusted provider.

I feel the answer to if ActBlue fits that standard, the answer is yes.

Finally, I don't think removing the sandbox attribute from the iframe would be beneficial for users of the embed as ActBlue is a fundraising platform.

#5 @jorbin
4 years ago

  • Keywords needs-patch added

#6 follow-up: @samueldcole
4 years ago

Hi!

I'm a Software Engineer at ActBlue, and the lead engineer on the ActBlue embed form, and I cowrote this ticket.

We would love if the oEmbed discovery would work out of the box, and I spent some time reducing our HTML snippet in the oEmbed response to the minimum <iframe>, however because our embed processes payments, we need a few things that the sanitizer removes:

allowpaymentrequest: this allows Google Pay to process payments on Android devices without users needing to proceed through a bunch of forms, it wouldn't be a huge loss, but it does make the form easier and I'm not sure if there's an explicit reason that it's removed.

sandbox: we use a full menu of sandbox attributes (allow-storage-access-by-user-activation allow-scripts allow-same-origin allow-forms allow-popups), which gets overwritten by sandbox="allow-scripts")

  • allow-storage-access-by-user-activations: we use this to identify returning donors on Safari devices, which isn't critical, but it makes the form easier for those folks.
  • allow-scripts: *required*: since our whole embed is JavaScript/React app (but WordPress already includes this).
  • allow-same-origin: *required for accepting credit cards*: our internal PCI sandbox uses the document origin to establish a communication channel.
  • allow-forms: *required*: our whole embed is a form, and for accessibility we rely on traditional HTML <form> behavior.
  • allow-popups: *required for PayPal*: PayPal will spawn a popup to authenticate payments, additionally we have a few links that need to open in new windows. It might be ok to lose those, but a decent number of contributions come through PayPal.

I believe the easiest path to making ActBlue urls embeddable through the Embed block is to allowlist our oembed provider so that it isn't subject to sanitization. However, if the embed sanitization allows for these attributes, it might be useful for other people with embeddable payment systems.

#7 @peterwilsoncc
4 years ago

Thanks @samueldcole, those limitations all make sense in which case I think the plugin is the best option for now. As I mentioned above, monitoring the install base once it becomes establised will help give an indication of whether the endpoint ought to be added to the WordPress allow list.

@jorbin I think the region specific domains you point to are better said to be ensuring that a global service can be used globally. In the case of Amazon, it's a general use service rather than a niche service, which is the second reason I don't think Act Blue belongs in the WordPress allow list for now. Only a very few sites are for political campaigns requiring such an embed.

#8 in reply to: ↑ 6 @peterwilsoncc
4 years ago

Replying to samueldcole:

I'm a Software Engineer at ActBlue, and the lead engineer on the ActBlue embed form, and I cowrote this ticket.

Sorry, I forgot to ask, could you please reply with the WordPress accounts of the other individual/s who cowrote this ticket? Rather than an account for a company-like structure, it helps to know the people you are talking to.

#9 @desrosj
2 years ago

Circling back to this ticket going through the list of tickets marked as close candidates.

It appears the plugin is currently sitting at the 300+ install mark after ~16 months.

ActBlue do not have public facing developer documentation for the oEmbed endpoint but it follows the oEmbed spec. We plan to release developer documentation during this election cycle.

@actblue and @samueldcole: If this is something that's still supported and you'd still like to see, could you provide an update on this item? Has public facing developer documentation been published?

#10 @ashprice
2 years ago

Hi I'm Ash, an engineering manager at ActBlue on the Extensibility and Integrations team.
Thanks for circling back on this. This is still a feature we support and would like to move forward with the request to add ActBlue as an oEmbed provider. Over the past months, we've gone through some team changes, apologies for falling off on some of this work.
We don't have the documentation published yet, but it is something that we're prioritizing and hoping to complete over the next couple of weeks and we'll provide an update here once this is complete.

#11 follow-up: @peterwilsoncc
2 years ago

As I mentioned above I think this service is too niche to include in the allow list.

It targets a subset of a subset of a subset: American websites with political content wishing to raise funds for a single political party.

Even if public documentation is adding, I do not see a general appeal for this as an embed across all WP users and continue to be of the view this ought to be closed.

#12 in reply to: ↑ 11 ; follow-up: @antoinette4ab
2 years ago

The below is actually not true. ActBlue is also used by American non-profits https://secure.actblue.com/abcharities

Replying to peterwilsoncc:

It targets a subset of a subset of a subset: American websites with political content wishing to raise funds for a single political party.

Even if public documentation is adding, I do not see a general appeal for this as an embed across all WP users and continue to be of the view this ought to be closed.

#13 in reply to: ↑ 12 @ashprice
2 years ago

In addition, I'd like to add that our embedded form and embed feature are primarily and mostly used by our non-profit users and a majority of those users use WP. That was one of the driving forces behind building our WP plugin and developing our oEmbed endpoint.

Replying to antoinette4ab:

The below is actually not true. ActBlue is also used by American non-profits https://secure.actblue.com/abcharities

Replying to peterwilsoncc:

It targets a subset of a subset of a subset: American websites with political content wishing to raise funds for a single political party.

Even if public documentation is adding, I do not see a general appeal for this as an embed across all WP users and continue to be of the view this ought to be closed.

#14 @audrasjb
2 years ago

Ok but as far as I know, ActBlue service only targets US citizens, right?
In my opinion, it disqualifies it for a Core inclusion.

Honestly, having a specific embed block for this would add an unneeded feature to all non-US websites (and that's a lot of websites!). I think it should stays as a plugin, it's too much US-centric :)

Last edited 2 years ago by audrasjb (previous) (diff)

#15 @samueldcole
2 years ago

Is there a way to allow list the ActBlue oembed provider without adding a block? The sanitizer removes needed functionality for payment processing…

#16 @audrasjb
2 years ago

The sanitizer removes needed functionality for payment processing…

If there is a wp core sanitization that you can't filter easily, this of course need to be handled in another ticket :)

What's the exact issue with this sanitization? Is it possible to hook/filter it?

#17 @samueldcole
2 years ago

I listed out the things ActBlue would need above: https://core.trac.wordpress.org/ticket/52240#comment:6

#18 @JeffPaul
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I concur that the limitations to the target audience of this oEmbed & block seem too small compared to the much larger WordPress userbase, that the existing plugin appears to solve this sufficiently for its target audience and the feature should likely continue to exist as a plugin and not part of core, and unfortunately will close this as wontfix. Thanks to all for the disucussion and work here, should the functionality of the service open to a more worldwide audience then I believe it could then be re-considered for inclusion in core.

Note: See TracTickets for help on using tickets.