Since WordPress 4.4, oEmbed discovery is enabled for all users and allows embedding of sanitized iframes. The providers in this list are whitelisted, meaning they are trusted and allowed to embed any content, such as iframes, videos, JavaScript, and arbitrary HTML.
Here's what seems to happen.
Since WP 4.4, all URLs entered on their own lines are fetched looking for oEmbed endpoint discoverability tags, and those oEmbed endpoints then fetched.
If the endpoint returns an iframe, it is sanitized (security="restricted" sandbox="allow-scripts" added) and used.
If not an iframe, then the response is discarded, unless the resource is whitelisted or you've registered the provider with a plugin.
Need to investigate and confirm the above, and then decide what changes (if any) to make, both here and on the platform. Questions:
Is the above description true?
Does the response need to be a bare iframe, or will WP pluck out an iframe nested in other HTML?
What strictures does security="restricted" sandbox="allow-scripts" put on us?
As discovered when helping @JoeGermuska debug StoryMap, and via this comment in the WP oEmbed class:
Here's what seems to happen.
security="restricted" sandbox="allow-scripts"
added) and used.Need to investigate and confirm the above, and then decide what changes (if any) to make, both here and on the platform. Questions:
security="restricted" sandbox="allow-scripts"
put on us?