Problem/Motivation
As documented in #3208830: [policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless:
When the oEmbed system was added to the core Media module, one of the protections added against malicious JavaScript was the suggestion that site owners configure their Drupal site to be visible through a subdomain alias (basically, oembed.example.com == example.com) so that malicious JavaScript served from an oEmbed provider would have an additional hoop to jump through. We felt strongly enough about this measure that, if oEmbed content is not served in a subdomain, we display a warning on the status report page.
However, this is tricky to set up -- it's poorly documented and the warning drives site builders crazy (as evidenced by discussion in #2965979: [PP-1] Validate alternate domain for oEmbed iFrame) until they get it set up properly. And even when they do, it's not clear that there is actually a security improvement here.
If a subdomain is used, browsers consider it to be part of the main site, so it can share cookies with the main domain.
If a completely different domain is used instead of a subdomain, users can go directly to the second domain, which, because it is the same Drupal site, is configured to use itself as the iFrame domain.The oEmbed specification recommends that the HTML within the iFrame be hosted on another domain. The intention is for the HTML within the iFrame to be entirely separate from the main site. It does not recommend using a subdomain, or that the entire site be accessible from the other domain.
Long story short, in #3208830-27: [policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless @longwave confirmed we can remove the warning while we pursue a more achievable fix.
Steps to reproduce
- Enable Media module
- Go to Drupal status page
Proposed resolution
Remove the warning, for all the reasons documented in #3208830: [policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Remaining tasks
Review by core maintainers
User interface changes
No more warning
Introduced terminology
No
API changes
No
Data model changes
No