[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless

Created on 14 April 2021, about 4 years ago
Updated 23 April 2023, about 2 years ago

Problem/Motivation

This issue is spun off from the pile-on happening in ✨ [PP-1] Validate alternate domain for oEmbed iFrame Postponed .

When the oEmbed system was added to the core Media module, one of the protections added against malicious JavaScript was the suggestion that site owners configure their Drupal site to be visible through a subdomain alias (basically, oembed.example.com == example.com) so that malicious JavaScript served from an oEmbed provider would have an additional hoop to jump through. We felt strongly enough about this measure that, if oEmbed content is not served in a subdomain, we display a warning on the status report page.

However, this is tricky to set up -- it's poorly documented and the warning drives site builders crazy (as evidenced by discussion in ✨ [PP-1] Validate alternate domain for oEmbed iFrame Postponed ) until they get it set up properly. And even when they do, it's not clear that there is actually a security improvement here.

  1. If a subdomain is used, browsers consider it to be part of the main site, so it can share cookies with the main domain.
  2. If a completely different domain is used instead of a subdomain, users can go directly to the second domain, which, because it is the same Drupal site, is configured to use itself as the iFrame domain.

The oEmbed specification recommends that the HTML within the iFrame be hosted on another domain. The intention is for the HTML within the iFrame to be entirely separate from the main site. It does not recommend using a subdomain, or that the entire site be accessible from the other domain.

Steps to reproduce

Install the Standard profile and the Media module, then visit the status report page.

Proposed resolution

  1. Do not allow login from the iFrame domain. If there is not an iFrame domain, use a data URL and sandbox attribute to minimize the possibility of cookies leaking into the iFrame.
  2. Provide detailed documentation for site builders.

Remaining tasks

TBD

User interface changes

TBD

API changes

TBD

Data model changes

TBD

Release notes snippet

📌 Task
Status

Active

Version

10.1 ✨

Component
Media  →

Last updated about 15 hours ago

Created by

🇺🇸United States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024