Contrib.social

Iframely hash vs api key with Semantic embed

Open on Drupal.org →
Created on 18 May 2025, about 2 months ago

Problem/Motivation

When using Iframely paid service with semantic media embed. Iframely has two key combinations to use with the API call: Server Key and Client Hash. The server key is passed with api_key= and is meant to be hidden and used only from a server environment, and the client hash is passed with key= and can be used from a client side and be exposed in combination with origin domain checks.

Since the module uses the provider URL on both client side for the editor, and the server side for embed filter processing, there is no way to use the client hash which will fail when called from the server with 403 (origin match) , and using the server key exposes it.

Iframely provides an additional security feature where a server call can contain a custom header with a custom value to ensure the call is originating from our server.

Steps to reproduce

  1. Set up an iframely account and protect the api key with origin checks that match your domain.
  2. Set up the module with a Semantic Media Embed button and filter. Use the &key=HASH in module config provider URL.
  3. Use the embed button to embed any media in the editor.
  4. The media appears inside the editor
  5. Save the content, the media embed will be shown as the link text. In the background the call to iframely from the filter with the key parameter fails.
  6. Remove origin checks from Iframely api key settings under your account
  7. Refresh the content, the filter is able to call the api with no origin restrictions, but this leaves the api with no protection against abuse
  8. Alternatively, use the &api_key=KEY parameter with the server api key.
  9. Both editor and filter will be able to embed the media and show it, but the server key is exposed and origin checks are bypassed for client and this leaves the api with no protection against abuse.

Proposed resolution

One of the following solutions can be implemented:

  • Collect a separate provider URL for the filter. It could be a filter setting where the provider url can be overridden, or it could be in the module configuration.
  • Collect through configuration a custom http header key and value to pass when calling the provider URL from the filter.
  • Allow other modules through a hook or event subscription to modify the http call headers/url
Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇪🇬Egypt shadysamir

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024