We just noticed that PROTECTED_EMBEDS_DOMAIN will load the site homepage. As you probably know, the point of using an alternate domain to host embeds is to protect login cookies from XSS attacks. While it's probably not possible to get a login cookie from the protected embeds domain right now, it would be best to protect against some future bug that does make it possible. Do you think we could either wp_die() or wp_redirect() to the site homepage when that domain isn't serving a protected embed?
This seems like a general concern when implementing a protected embeds solution like this. What do you think about adding a check on init or parse_request that bails early for requests on the protected embeds domain that don't have have the "protected-iframe" query var set?
roborourke
commented
8 years ago
Hi Joe,
VIP brought the following issue to my attention:
This seems like a general concern when implementing a protected embeds solution like this. What do you think about adding a check on
initorparse_requestthat bails early for requests on the protected embeds domain that don't have have the "protected-iframe" query var set?