Currently the iframe serving a protected embed is served from site_url( '/protected-iframe/' . $embed->get_id() ). This seems wrong, as the point of this plugin is to be sure to serve these iframes from a separate domain from the site.
This also causes the postmessages being used to resize the iframes to fail, because the target origin specified in the postMessage call doesn't match the actual document origin of the iframe. As a result, frames are not resizing correctly and are cut off at 150px height.
Currently the iframe serving a protected embed is served from
site_url( '/protected-iframe/' . $embed->get_id() )
. This seems wrong, as the point of this plugin is to be sure to serve these iframes from a separate domain from the site.This also causes the postmessages being used to resize the iframes to fail, because the target origin specified in the postMessage call doesn't match the actual document origin of the iframe. As a result, frames are not resizing correctly and are cut off at 150px height.
The offending line seems to be here: https://github.com/humanmade/protected-embeds/blob/master/protected-embeds.php#L77