Posted May 30, 20187 yr I noticed that in 4.3, Codepen was removed from \IPS\Text\Parser::_oembedServices. Was this intentional? And if so, can you please provide the reason? I have a client that uses codepen extensively, so if there was a valid reason for its removal, I'd like to know so that I can be aware of the "consequences" of putting it back in. Thanks.
May 30, 20187 yr Yes, it was removed because of security concerns with the pen actually executing JavaScript from inside the embed.
May 30, 20187 yr Yes, it was intentional. Codepen can execute javascript in the local scope, so it introduced a minor potential security vulnerability. Doh, Ryan sniped me
June 1, 20187 yr That's a huge disappointment and I'd like to strongly recommend that you put it back. Codepen embeds didn't run by default anyway - the user needed to click to activate. It's not like having the user click a link to go to the codepen URL (instead of embedding) would somehow protect them from malicious JS in that codepen, right? So this is just kicking the can down the road (and simultaneously frustrating your customers like me and providing a worse user experience for forums users). Literally almost every thread in our forums has a codepen, so this decision you made has significant ramifications for us. Please reconsider.
June 4, 20187 yr There's no reason it couldn't be done with a plugin, however we actually received a security report about the issue and had to take action. Social engineering could be used to cause harm on sites with less savvy users.
June 8, 20187 yr On 6/4/2018 at 10:14 AM, bfarber said: There's no reason it couldn't be done with a plugin, however we actually received a security report about the issue and had to take action. Social engineering could be used to cause harm on sites with less savvy users. didn't realize JS was so powerful, it could alter the course of a entire culture and society ? Edited June 8, 20187 yr by CodingJungle
June 8, 20187 yr I would like to know if a mechanism like https://developer.mozilla.org/it/docs/Web/Security/Subresource_Integrity could be a solution to the problem
Archived
This topic is now archived and is closed to further replies.