Contrib.social

Expose a way to suppress oEmbed security warnings

Open on Drupal.org →
Created on 20 April 2018, about 6 years ago
Updated 6 July 2023, 12 months ago

Problem/Motivation

In #2831944-187: Implement media source plugin for remote video via oEmbed , @dawehner raised this point about the fact that Media will warn site administrators (via the status page), if they are displaying remote oEmbed resources in an iframe served from the same domain as the main Drupal site:

I'm curious whether we could somehow instead of a warning ensure that people at least checked a checkbox to know that they are doing something insecure.

Should site administrators be allowed to permanently acknowledge, and therefore suppress, this legitimate and actionable security warning? If so, how would we go about doing that?

Proposed resolution

TBD.

Remaining tasks

Discuss whether we should do this at all, and possibly implement a patch.

User interface changes

TBD.

API changes

TBD.

Data model changes

TBD.

Feature request
Status

Active

Version

11.0 🔥

Component
Media 

Last updated about 17 hours ago

Created by

🇺🇸United States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Usability

    Makes Drupal easier to use. Preferred over UX, D7UX, etc.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 12 months ago
    🇦🇺Australia sime Canberra

    I decided to work on a template site and clean up some warnings in the status report. I've never really focussed on this warning before and I can point to commodity government platforms that do not set this setting by default - I guess they made an assessment about the risk and decided to live with it.

    Anyway here's just an anecdotal story about trying to remove this error on Platform.sh, and might be a good benchmark to consider the UX for non-technical people.

    I figured the goal was to add another domain to my site. Like a multi-site I guess. Platform.sh allows you to add multiple domains to point to the same site, but the way all the examples are setup they assume you'll be redirecting to one domain at the edge. They have an option to handle all domains as legitimate ("https://{all}/"), but then you're faced with what to do with this - this functionality was likely added to support a traditional multisite setup with multiple legitimate domains.

    I guess it wasn't too hard to set it up on Platform.sh after I decided how to set up my routes, but there was definitely not a way to generically set it up. Drupal 10 doesn't really have a domain setting since we removed $base_url, which is something I take for granted when setting up a boilerplate site. This setting appears to require a fully qualified domain, so I'm either faced with hardcoding this into the settings, or programmatically set it in settings.php. I guess the mum/dad site builders will just hardcode it once they work out how to add another domain to their site.

    For the sake of sharing my thinking patterns this is what i settled on. I decided to base the media domain on the main domain. I wanted to make this a subdomain like media.demo-site but then I had to negotiate certificate setup on Cloudflare. If was using the apex this would have been a little easier i could have used www. and non-www. for eg.

    So then i have two domains. I really don't want them both to serve the main site. Redirect module doesn't provide any handling for this case in the global redirect handling - how could it, it doesn't know the base url since Drupal 8. I guess I'm going to code this redirect. I don't think this is a great option for site builders at all and it feels weird that Drupal is making me do all this to get rid of a warning that I know for a fact a lot of sites never address.

    Am i missing something in how to address this issue?

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024