Problem/Motivation
This is issue is spun off from UX team feedback on #2831944-203: Implement media source plugin for remote video via oEmbed.
For security reasons, the oEmbed system uses an iframe to serve content from a third-party oEmbed provider. By default. the iframe is served from the same domain as the main Drupal site, but this is not secure. Therefore, Media introduced a setting, exposed in a configuration form, which allows site builders/admins to set up an alternate domain from which to serve the iframe.
In order to serve oEmbed content more securely, the iFrame domain needs to point to the Drupal site. This is explained on the form, but not validated in any way.
Proposed resolution
It would be nice to add some sort of validation to ensure that the iFrame domain is actually pointing to the Drupal site, because if it isn't, then almost all oEmbed content on the site will break (404 errors or worse), which scare the pants off of our users.
Remaining tasks
- Discuss if we should even do this, and if so, how to do it in a way that will please the security team.
- Write a patch
- Review it until we're all sick of looking at it
- Commit it
User interface changes
TBD, but probably none.
API changes
TBD, but probably minimal or none.
Data model changes
None anticipated.