We just noticed that PROTECTED_EMBEDS_DOMAIN will load the site homepage. As you probably know, the point of using an alternate domain to host embeds is to protect login cookies from XSS attacks. While it's probably not possible to get a login cookie from the protected embeds domain right now, it would be best to protect against some future bug that does make it possible. Do you think we could either wp_die() or wp_redirect() to the site homepage when that domain isn't serving a protected embed?
This seems like a general concern when implementing a protected embeds solution like this. What do you think about adding a check on init or parse_request that bails early for requests on the protected embeds domain that don't have have the "protected-iframe" query var set?
Hi Joe,
VIP brought the following issue to my attention:
This seems like a general concern when implementing a protected embeds solution like this. What do you think about adding a check on
init
orparse_request
that bails early for requests on the protected embeds domain that don't have have the "protected-iframe" query var set?