• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » What is oEmbed and WordPress Embed?

By Abhishek Ghosh May 27, 2016 8:26 pm Updated on May 27, 2016

What is oEmbed and WordPress Embed?

Advertisement

If You Administer a WordPress Installation You Have Heard About oEmbed. What is oEmbed and WordPress Embed? It is Not Standard But it is Just a Format. Most website described oEmbed as Open Standard. But, Standard should have proper documentation, validated and accepted by the known groups/societies/bodies/authorities. Like, Dublin Core is a Specification. It has corresponding Wiki on W3C’s website :

Vim
1
https://www.w3.org/wiki/DublinCore

 

What is oEmbed and WordPress Embed?

 

I was unable to find any history and technical specifications (I am talking about Internet Protocols, RFC, Normal Standards like IEEE). I found that, all are referring towards the domain oembed.com as official website, but in that website (rather a GitHub Hosted domain) there is no true “specification”. What is linked as Mailing List is link towards a Google Group. Actually my suspicion started at the paragraph under Security Consideration :

When a consumer displays any URLs, they will probably want to filter the URL scheme to be one of http, https or mailto, although providers are free to specify any valid URL. Without filtering, Javascript:… style URLs could be used for XSS attacks.

When a consumer displays HTML (as with video embeds), there’s a vector for XSS attacks from the provider. To avoid this, it is recommended that consumers display the HTML in an iframe, hosted from another domain. This ensures that the HTML cannot access cookies from the consumer domain.

That made me to search DMOZ and W3C against the word oEmbed. DMOZ, obviously not listed any website out of suspicion, W3C has this minimal information :

Advertisement

---

Vim
1
https://www.w3.org/2005/Incubator/federatedsocialweb/wiki/Protocols#oEmbed

Reason of suspicion became obvious – possibility of security risks and thereby chance of any NSA or any Governmental spyware activity. Cheating & fooling should have a limit. If an innocent read it :

Vim
1
http://www.webmonkey.com/2010/02/get_started_with_oembed/

The web monkey has written :

The full OEmbed spec says that all requests sent to the API endpoint (Flickr in our example) must be HTTP GET requests, with any arguments sent as query parameters. Obviously any arguments you send through HTTP should be url-encoded (as per RFC 1738 in this case).

RFC 1738 in that sentence “any arguments you send through HTTP should be url-encoded (as per RFC 1738 in this case)” is not about oEmbed. RFC 1738 talks about Uniform Resource Locator (URL).

What-is-oEmbed-and-WordPress-Embed-

 

What is oEmbed and WordPress Embed? Answer is Complex

 

Copy-Pasting any URL from some websites makes it something like an embedded Tweet or iFrame can not be a reason to try to establish it as an “Open Standard”. Instead of the “official webpage” i.e.

Vim
1
2
3
4
https://developers.facebook.com/docs/plugins/oembed-endpoints
https://developer.wordpress.com/docs/oembed-provider-api/
https://developer.yahoo.com/blogs/ydn/oembed-embedding-third-party-media-made-easy-7355.html
https://dev.twitter.com/rest/reference/get/statuses/oembed

It appears that oEmbed was originally thought out by Yahoo. There is discussion on wordpress.org about that oEmbed :

Vim
1
https://make.wordpress.org/core/2015/10/28/new-embeds-feature-in-wordpress-4-4/

Some developers of WordPress are forcing, while the general developers are not agreeing the hidden matter that a JSON or XML output they actually the users have on their website.

 

Criticism of WordPress

 

Whatever, in whichever way oEmbed developed or even used by NSA is not important. It is more important that the software should have an agreed list of standard features not open to XSS attacks. XMLRPC attack is common and it is difficult to detect on PHP-FPM and Nginx, but XMLRPC possibly has some usage. It is definitely an unwanted package. Removing with PHP filters is not practical option. The files are on server. PHP Shell can be used to get access.

Some problems were discussed at Drupal :

Vim
1
https://www.drupal.org/node/1175368

It is obvious, if our post is embedded by an innocent user inside his/her WordPress post (on different server), first I can run exploit, second; if my server is hacked, the persons embedding will get hacked. The posts are saved in MySQL database.

Another problem is content scrapping. Case of Flickr, GitHub, Facebook, Twitter is different. They provide public services and the websites are configured, managed by many skilled persons. It is not great to fetch a JSON response from a server. There is much safer Open Graph. Facebook developed Open Graph inspired by Dublin Core, Microformats, and RDF but factually it is really open.

Obviously there is suspicious matters around that oEmbed. Somehow on GitHub an “official website” hosted with no logo and all are referring them, some WordPress developers thinking it is great and not providing any easy option to “switch it off” – any sane human will say that there is something wrong in that scheme of promotion. From WordPress 2.9 that thing is present, but dangerous has been now.

The innocent non-tech users will get more confused with Restful API, JSON encoding like words.

Worst would be if the embedding site is under DDoS attack. The source site will suffer from DDoS. The old :

Vim
1
<a href="https://jima.in/" target="_blank">Restful Website</a>

will not do it. Those providers like Twitter has caching mechanism on different server, DDoS protection at several layers. There are web hosts who kick out if a client website has DDoS.

 

Fair Usage of oEmbed

 

It is practical to limit the GET request to specific IPs like localhost. The generated output is suitable to show up in own other domains, same domain’s section etceteras.

Tagged With html in oembed

This Article Has Been Shared 280 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to What is oEmbed and WordPress Embed?

  • How does a modem work?

    A modem is a device used to connect to the Internet. Learn the basics of how a modem works.

  • Tips To Take Good Pictures With Your Digital Camera

    Tips To Take Good Pictures With Your Digital Camera are for those of you who want tips and tricks to take beautiful photographs out of your Digital Camera.

  • Photographing Toys in a Creative Way

    Photographing toys in a creative way, in general is something exciting because it leads to invent something new, if you want to create pseudo-real environment.

  • Tips to Save Photos for Web Upload without Compromise

    Tips to save Photos for web upload without compromise presents you three tricks for Photoshop which can save your high quality photos from going to bad quality.

  • Cloud Computing Contracts and SLAs

    Cloud Computing Contracts and SLAs are to get protection against data loss or abuse – provider is not liable, but the client, so clients must be aware.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (22.1K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Ways To Make Sure Your Online Course Outshine Others July 3, 2022
  • Will Smart Factories Become the New Assembly Line? July 2, 2022
  • The Cost of Doing Business as a Handyman July 1, 2022
  • Samsung Galaxy S22 Ultra: Long Term Review June 30, 2022
  • How to Make the Most of Your S Pen (S22 Ultra) June 29, 2022

About This Article

Cite this article as: Abhishek Ghosh, "What is oEmbed and WordPress Embed?," in The Customize Windows, May 27, 2016, July 4, 2022, https://thecustomizewindows.com/2016/05/what-is-oembed-and-wordpress-embed/.

Source:The Customize Windows, JiMA.in

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Privacy Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2022 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy