[HacktionLab] {Spam?} Re: embedding iframes in wordpress network sites securely

Tue Jun 25 19:42:49 UTC 2013

On 25/06/13 10:44, m3shrom wrote:
> Hi there,
> 
> There are a couple of services that want to be able to embed iframes in
> network23.org blogs.
> Allowing anyone to do this is a security risk.
> 
> What would be the best way to do it?
> 
> An idea, create a plug-in for each service that each blog could enable.
> Does anyone know how you would go about doing that?

Hiya,

How about the attached module, which is a fork of the standard iframe
module?

It works the same way that I imagine the wordpress.com site works. There
is a whitelist of "allowed sites" which you can iframe. If you try to
iframe an URL that is not on the blacklist, then no embed is added.

As an admin, you can edit the source to add sites that people are
allowed to embed from (at line 25 in iframe.php). You could have this
read from a file if you wanted a less brittle setup.

Depending on what attack you are defending against this may be a better
approach than allowing users to configure their own blogs. For example
if you didn't want to facilitate tracking at all, you'd want to disallow
embedding from youtube and shit like that (who could track via the iframe).

If you want to do per user whitelists as you describe, then you'd need
to create the whitelist locally (probably writing to the database or
something).

Cheers,

> Ideally it would create some kind of short code that people could place
> in their page to display a player or calendar.
> 
> Any pointers? or can anyone help put a couple of these together. Surely
> it can't be too hard.
> 
> nice one
> mick
> 
> 
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

-- 
Charlie Harvey
IT Manager
New Internationalist

t: +44 (0)1865 811402
f: +44 (0)1865 793152
w: http://www.newint.org/
k: http://sn.im/gpgkey/

** Check out our new, improved online shop: http://tr.im/nishop **

New Internationalist is an independent not-for-profit communications
cooperative. Our multi-award winning magazine, New Internationalist,
brings to life the people, the ideas and the action in the fight for
global justice.

New Internationalist Publications Ltd. is incorporated in England
under no.1005239. Registered Office:
New Internationalist, 55 Rectory Road, Oxford,  OX4 1BW, UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iframe-whitelister.zip
Type: application/zip
Size: 45723 bytes
Desc: not available
URL: <https://lists.aktivix.org/pipermail/hacktionlab/attachments/20130625/b094fc7f/attachment-0001.zip>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <https://lists.aktivix.org/pipermail/hacktionlab/attachments/20130625/b094fc7f/attachment-0001.pgp>