pattern-directory icon indicating copy to clipboard operation
pattern-directory copied to clipboard
verified publisher icon WordPress

Prevent 3rd party cookies on Patterns directory

Open jeremyfelt opened this issue 4 years ago • 1 comments

Describe the bug

On the front page of the (very cool) patterns directory, one of the current patterns is the "Podcast Subscription Box". This loads in many assets from Spotify servers (open.scdn.co, open.spotify.com, guc-spclient.spotify.com) as well as from sentry.io, and results with cookies stored on the open.spotify.com domain.

I haven't dug into it too much, but it may be that the iframe can be prevented from reading/writing cookies with the sandbox attribute.

(Ideally, IMO, not many non-wp.org assets would load on this page, but that may not be possible with how the blocks are injected.)

To Reproduce Steps to reproduce the behavior:

  1. Go to https://wordpress.org/patterns/
  2. Open developer tools, look at network resources

Additional context

Maybe related: The Brave browser shows a notice that the wordpress.org/patterns page would like to install Google's Widevine DRM, which also seems like a strange requirement for this page.

jeremyfelt avatar Jul 21 '21 23:07 jeremyfelt

As mentioned, this is coming from the Spotify embed block. Future patterns might use embeds from other 3rd party services.

I tried some values for sandbox, but I would need to research it more to see if that would work - sandbox="allow-scripts" broke the iframe entirely.

Tagging this with "Help Wanted".

ryelle avatar Jul 23 '21 15:07 ryelle