Make WordPress Core

Opened 13 months ago

Last modified 13 months ago

#52240 new enhancement

Add ActBlue as an oEmbed Provider

Reported by: actblue Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Embeds Keywords: 2nd-opinion reporter-feedback close needs-patch
Focuses: Cc:


Here is the ActBlue oEmbed endpoint: https://secure.actblue.com/cf/oembed
Here is an example query with a response: https://secure.actblue.com/cf/oembed?url=https://secure.actblue.com/donate/actblue-1-embed
The pattern for embeddable urls is: https://secure.actblue.com/donate/.*

  1. Is the service is popular enough for core developers to have heard of it before? Is it “mainstream?”

ActBlue is a well-established platform for progressive fundraising. In the last election cycle we processed a total of almost 127 million contributions with the total amount reaching 4.8 billion dollars.

  1. If similar services are already supported, how does this service compare in terms of size, features, and backing?

As far as we can tell there is not another oEmbed provider that provides contributions forms for progressive organizations and campaigns.

  1. Does this service have a large following on Twitter, Facebook, or other social media? Is its Twitter account verified?

ActBlue is both Instagram and Twitter verified. We currently have 40.6K followers on Twitter.

  1. Is its oEmbed endpoint clearly established and properly documented? (Sometimes, they are just a developer’s pet project that may not be supported.)

ActBlue do not have public facing developer documentation for the oEmbed endpoint but it follows the oEmbed spec. We plan to release developer documentation during this election cycle.

  1. Does the oEmbed endpoint work with WordPress’ oEmbed auto-discovery? If not, could it be made to work with additional HTML tags or attributes being whitelisted?

ActBlue's embed does not work with the WordPress auto-discovery because the filtering mechanisms remove the sandbox and allowpaymentrequest attributes necessary to process contributions.

  1. Does the service make an effort to build relationships with developers, such as through robust APIs?

ActBlue works closely with developers at various organizations and various campaigns.

  1. How old is the service?

ActBlue is 14 years old.

  1. Does it have a well-established Wikipedia article? (Seriously.)

Yes, ActBlue does have a well-established Wikipedia page: https://en.wikipedia.org/wiki/ActBlue

  1. Has anyone written a WordPress plugin that leverages the service in some way, whether adding it as an oEmbed provider, creating a shortcode, or leveraging other APIs of the service?

We just released our first WordPress plugin with the primary purpose of adding our oEmbed endpoint to the oEmbed Providers list. Our WordPress plugin can be found here: https://wordpress.org/plugins/actblue-contributions/

  1. Do these plugins have any noticeable adoption or traction that would indicate usage and demand?

ActBlue released our plugin publicly right before the holidays. We are planning a formal launch and announcement this month (January 2021).

  1. Is the provider frequently proposed?

ActBlue has received many requests for integrated forms, specifically from our nonprofit users on the WordPress platform.

Change History (8)

#1 @melchoyce
13 months ago

I've worked on a ton of candidate sites on WordPress over the past two years — core support for ActBlue's oembed endpoint would have been super helpful.

#2 @audrasjb
13 months ago

  • Keywords 2nd-opinion reporter-feedback added

Hello, welcome to WordPress Core Trac and thank you for opening this ticket!

Thank you for answering the questions, the submission sounds legit on my side. I have only one small concern about this proposal: maybe it's just me, but as a non US citizen, I feel a bit concerned about onboarding a very (only) US-centered oEmbed provider/platform.

Version 0, edited 13 months ago by audrasjb (next)

#3 @peterwilsoncc
13 months ago

  • Keywords close added

I share @audrasjb's concern about adding such a US centric service to the oembed allow list, especially given it's targeting a fairly niche market of political campaign sites.

@actblue if you limit the iframe attributes to src, width, height, frameborder, marginwidth, marginheight, scrolling and title the built-in auto discovery service will allow for embeds automatically.

For now, I think it's best to keep an eye on the plugin to see if the installation base grows. It's currently very low but as it's only four weeks old, that doesn't really mean anything at this stage.

#4 @jorbin
13 months ago

I think this would be a good addition. While ActBlue is primarily used in one nation, we have other embed providers that are single nation-specific, namely the numerous Amazon endpoints. Further, in our design decisions document, the guidelines for core supported providers are:

  • be well-established, popular, and mainstream services,
  • properly and fully implement the oEmbed specification,
  • and clearly be a trusted provider.

I feel the answer to if ActBlue fits that standard, the answer is yes.

Finally, I don't think removing the sandbox attribute from the iframe would be beneficial for users of the embed as ActBlue is a fundraising platform.

#5 @jorbin
13 months ago

  • Keywords needs-patch added

#6 follow-up: @samueldcole
13 months ago


I'm a Software Engineer at ActBlue, and the lead engineer on the ActBlue embed form, and I cowrote this ticket.

We would love if the oEmbed discovery would work out of the box, and I spent some time reducing our HTML snippet in the oEmbed response to the minimum <iframe>, however because our embed processes payments, we need a few things that the sanitizer removes:

allowpaymentrequest: this allows Google Pay to process payments on Android devices without users needing to proceed through a bunch of forms, it wouldn't be a huge loss, but it does make the form easier and I'm not sure if there's an explicit reason that it's removed.

sandbox: we use a full menu of sandbox attributes (allow-storage-access-by-user-activation allow-scripts allow-same-origin allow-forms allow-popups), which gets overwritten by sandbox="allow-scripts")

  • allow-storage-access-by-user-activations: we use this to identify returning donors on Safari devices, which isn't critical, but it makes the form easier for those folks.
  • allow-scripts: *required*: since our whole embed is JavaScript/React app (but WordPress already includes this).
  • allow-same-origin: *required for accepting credit cards*: our internal PCI sandbox uses the document origin to establish a communication channel.
  • allow-forms: *required*: our whole embed is a form, and for accessibility we rely on traditional HTML <form> behavior.
  • allow-popups: *required for PayPal*: PayPal will spawn a popup to authenticate payments, additionally we have a few links that need to open in new windows. It might be ok to lose those, but a decent number of contributions come through PayPal.

I believe the easiest path to making ActBlue urls embeddable through the Embed block is to allowlist our oembed provider so that it isn't subject to sanitization. However, if the embed sanitization allows for these attributes, it might be useful for other people with embeddable payment systems.

#7 @peterwilsoncc
13 months ago

Thanks @samueldcole, those limitations all make sense in which case I think the plugin is the best option for now. As I mentioned above, monitoring the install base once it becomes establised will help give an indication of whether the endpoint ought to be added to the WordPress allow list.

@jorbin I think the region specific domains you point to are better said to be ensuring that a global service can be used globally. In the case of Amazon, it's a general use service rather than a niche service, which is the second reason I don't think Act Blue belongs in the WordPress allow list for now. Only a very few sites are for political campaigns requiring such an embed.

#8 in reply to: ↑ 6 @peterwilsoncc
13 months ago

Replying to samueldcole:

I'm a Software Engineer at ActBlue, and the lead engineer on the ActBlue embed form, and I cowrote this ticket.

Sorry, I forgot to ask, could you please reply with the WordPress accounts of the other individual/s who cowrote this ticket? Rather than an account for a company-like structure, it helps to know the people you are talking to.

Note: See TracTickets for help on using tickets.