JoeGermuska
commented
8 years ago On Slack, @reefdog helped identify that Wordpress adds attributes security="restricted" sandbox="allow-scripts" to the iframe which is embedded. Sure enough, a simple standalone HTML page with those fails.
Can we work around this?
test case
<html>
<head><title>iframe test</title></head>
<body>
<h1>with tags</h1>
<iframe class="wp-embedded-content" security="restricted" sandbox="allow-scripts"
src="https://s3.amazonaws.com/uploads.knightlab.com/storymapjs/7d5cf9cfc9fa75da134291f9fe3c57fb/sad-topographies/index.html"
width='100%' height='200' frameborder='0'></iframe>
<h1>without tags</h1>
<iframe class="wp-embedded-content"
src="https://s3.amazonaws.com/uploads.knightlab.com/storymapjs/7d5cf9cfc9fa75da134291f9fe3c57fb/sad-topographies/index.html"
width='100%' height='200' frameborder='0'></iframe>
</body>
</html>
I was pleased to find that oembed works already on Wordpress.com sites, as can be tested with any recently created or re-published StoryMap, like this one:
https://uploads.knightlab.com/storymapjs/7d5cf9cfc9fa75da134291f9fe3c57fb/sad-topographies/index.html
The same, when used in a Wordpress self-hosted site, seems to trigger the discovery, but when previewed, yields a CORS error because a null Origin header is sent. Ultimately, that preflight check must be coming from our own code. Can we figure out why the Origin header is null, but only in this case and not on wordpress.com sites?