WordPress has a whitelist of 31 trusted sites from which users can oEmbed content, but one source is noticeably missing – WordPress itself. During this week’s feature plugin chat, Pascal Birchler and a group of contributors proposed the idea of oEmbed for WordPress Posts:
Basically, we want to make WordPress an oEmbed provider. Users should be able to paste an URL from a WordPress blog and the post gets embedded right away. Difficulties here are discovering other WordPress sites as oEmbed providers and whitelisting them. The oEmbed endpoint requires the WP-API to be in use, so this can’t land in core until the API does.
The oEmbed API proof-of-concept feature plugin is currently in development on GitHub. It requires WordPress 4.3 beta 3 or later and version 2 of the WP REST API plugin.
Mel Choyce, author of the trac ticket requesting the feature, created a mockup of how embedded WordPress posts might look:
The ticket is home to an active discussion with excellent reasons on both sides of the argument for why this should or should not be included in core, highlighting the many considerations that would be involved with having oEmbed discovery turned on. Tackling abuse of the feature could also pose a significant challenge.
The feature plugin is still in the early development stages and discussion regarding its implementation is ongoing. Birchler said the team needs help with design and development, particularly with the oEmbed auto-discovery part of the project. If you’d like to get involved with the discussion, you can join in the weekly chats in the #feature-oembed WordPress Slack channel.
I can see this being possible, but fraught with peril. Some *very* strict filters will be needed to maintain security. Possibly not worth the effort, in the long run. Not sure.
Definitely something that will need an off switch though. Or a way to avoid accidental usage.