Problem/Motivation

When an oEmbed provider is disabled on a Media bundle, Media continues to render the provider's content. Media fails to check if the provider is still allowed. Since the list of enabled oEmbed providers is effectively an iFrame whitelist, this should be documented and disclosed to site builders as it is a security risk.

Proposed resolution

  • Add language to README.md
  • Add a warning atop the 'Allowed Providers' config page
  • Add a warning in the 'Media Source Configuration' fieldset on Media bundles where the Media source is 'Remote video'

Remaining tasks

Write patch

User interface changes

Warnings added as described above.

API changes

None

Data model changes

None

Release notes snippet

None

CommentFileSizeAuthor
#4 oembed_providers-disabled_provider_warning-3129135-4.patch3.38 KBchris burge
#2 oembed_providers-disabled_provider_warning-3129135-2.patch3.37 KBchris burge

Comments

Chris Burge created an issue. See original summary.

chris burge’s picture

chris burge commented
Issue summary: View changes
Status: Active » Needs review
StatusFileSize
new oembed_providers-disabled_provider_warning-3129135-2.patch3.37 KB

Patch attached

Status: Needs review » Needs work

The last submitted patch, 2: oembed_providers-disabled_provider_warning-3129135-2.patch, failed testing. View results

chris burge’s picture

chris burge commented
StatusFileSize
new oembed_providers-disabled_provider_warning-3129135-4.patch3.38 KB

Updated patch with disabledProviderSecurityWarning being static.

chris burge’s picture

chris burge commented
Status: Needs work » Needs review

  • Chris Burge authored a62fa98 on 1.0.x 
    Issue #3129135 by Chris Burge: Document disallowed provider behavior
chris burge’s picture

chris burge commented
Assigned: chris burge » Unassigned
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.