[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libreoffice-website] CSP issue is back on the WordPress blog instance


On Thu, 23 Jan 2020 at 18:33:21 +0100, William Gathoye (LibreOffice) wrote:
> That extension isn't even loading due to CSP, here is the URL
> filtered:
> https://fr.blog.documentfoundation.org/wp-admin/admin.php?page=youtube-ep-wizard&random=303&;

Ack, it was block frames from sameorigin. Does it work now? Don't
think that's what blocking the video though.

> As soon as I try to specify <iframe> tags inside the article edit area
> (text mode), WordPress is getting rid of these tags, same applies with
> "standard" [embed] shortcodes, like if that extension was tweaking the
> WordPress "save" event. It is working nicely on a vanilla WordPress I
> have though.

Seems like the extension only triggers on URLs matching these regular
expressions:

@^\s*https?://(?:www\.)?(?:(?:youtube.com/(?:(?:watch)|(?:embed)|(?:playlist))(?:/live_stream){0,1}/{0,1}\?)|(?:youtu.be/))([^\s"]+)\s*$@i
@^[\r\t ]*https?://(?:www\.)?(?:(?:youtube.com/(?:(?:watch)|(?:embed)|(?:playlist))(?:/live_stream){0,1}/{0,1}\?)|(?:youtu.be/))([^\s"]+)[\r\t ]*$@im
@https?://(?:www\.)?(?:(?:youtube.com/(?:(?:watch)|(?:embed)|(?:playlist))(?:/live_stream){0,1}/{0,1}\?)|(?:youtu.be/))([^\[\s"]+)@i

so -nocookies won't match. Dunno what's Mike/Italo's workflow, but
AFAICT one needs to visit

/wp-admin/admin.php?page=youtube-my-preferences#jumpprivacy

and tick the “Privacy/GDPR - Show Consent Message” and “No Cookies”
boxes. Afterwards both https://www.youtube.com/watch?v=deadbeef and
[embedyt]https://www.youtube.com/watch?v=deadbeef[/embedyt] (or
anything matching the above URLs) will be transformed to use
https://www.youtube-nocookie.com .

Seems like a per-site configuration options, tweaked it on the French
blog too. It's IMHO unfortunate that the plugins don't have these on by
default.

--
Guilhem.

--
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy

Follow-Ups:
Re: [libreoffice-website] CSP issue is back on the WordPress blog instance"William Gathoye (LibreOffice)" <william.gathoye@libreoffice.org>
Re: [libreoffice-website] CSP issue is back on the WordPress blog instanceGuilhem Moulin <guilhem@libreoffice.org>
References:
[libreoffice-website] CSP issue is back on the WordPress blog instance"William Gathoye (LibreOffice)" <william.gathoye@libreoffice.org>
Re: [libreoffice-website] CSP issue is back on the WordPress blog instanceGuilhem Moulin <guilhem@libreoffice.org>
Re: [libreoffice-website] CSP issue is back on the WordPress blog instance"William Gathoye (LibreOffice)" <william.gathoye@libreoffice.org>
Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.