Problem/Motivation
When trying to preview an url Embed in CKEditor, you get a 403 - Forbidden error.
Not quite sure why this was not documented on Embed module, but when upgrading the module to cover this security vulnerability:
https://www.drupal.org/sa-contrib-2022-042 β
Embed now requires a CSRF Token to be present for previewing embeds. As you can check on EmbedController, checkCsrf() method.
These changes were included in commit #89b249e4
Please note the embed itself is OK when looking at the node, the issue is for previewing those embeds in the editor.
Steps to reproduce
1. Click url embed button in ckeditor
2. Add a social media url, like a twitter tweet, for example
3. Click on "Embed"
4. Note how the Tweet Preview is not displaying in the ckeditor
5. Check console logs, see the POST call has a 403 Forbidden error
So the 403 - Forbidden error is coming from the Embed controller (at route /embed/preview/{filter_format}), checkCsrf() method since the required header X-Drupal-EmbedPreview-CSRF-Token is missing.
Also, if you check the response headers for that request, you will see that the X-Drupal-Ajax-Token header is missing.
Proposed resolution
URL Embed should add a X-Drupal-EmbedPreview-CSRF-Token header to the preview request, and it should also add a token to that header.
So I'm adding a CR with those changes in the editor widget for the preview and in the drupalurl ckeditor plugin.
Remaining tasks
Add tests?