Issue #2962753 by ivnish, asawari, sagarmohite0031, phenaproxima, smustgrave, longwave, pameeela, sime, joelpittet, quietone: Remove oEmbed security warning

lauriii · lauriii · commit 8fe5855a0e9a · 2024-12-12T11:00:43.000+02:00
diff --git a/modules/media/media.install b/modules/media/media.install
@@ -12,8 +12,6 @@ use Drupal\Core\StringTranslation\TranslatableMarkup;
 use Drupal\Core\Url;
 use Drupal\image\Plugin\Field\FieldType\ImageItem;
 use Drupal\media\Entity\MediaType;
-use Drupal\media\MediaTypeInterface;
-use Drupal\media\Plugin\media\Source\OEmbedInterface;
 use Drupal\user\RoleInterface;
 
 /**
@@ -78,35 +76,6 @@ function media_requirements($phase) {
     }
   }
   elseif ($phase === 'runtime') {
-    // Check that oEmbed content is served in an iframe on a different domain,
-    // and complain if it isn't.
-    $domain = \Drupal::config('media.settings')->get('iframe_domain');
-
-    if (!\Drupal::service('media.oembed.iframe_url_helper')->isSecure($domain)) {
-      // Find all media types which use a source plugin that implements
-      // OEmbedInterface.
-      $media_types = \Drupal::entityTypeManager()
-        ->getStorage('media_type')
-        ->loadMultiple();
-
-      $oembed_types = array_filter($media_types, function (MediaTypeInterface $media_type) {
-        return $media_type->getSource() instanceof OEmbedInterface;
-      });
-
-      if ($oembed_types) {
-        // @todo Potentially allow site administrators to suppress this warning
-        // permanently. See https://www.drupal.org/project/drupal/issues/2962753
-        // for more information.
-        $requirements['media_insecure_iframe'] = [
-          'title' => t('Media'),
-          'description' => t('It is potentially insecure to display oEmbed content in a frame that is served from the same domain as your main Drupal site, as this may allow execution of third-party code. <a href=":url">You can specify a different domain for serving oEmbed content here</a>.', [
-            ':url' => Url::fromRoute('media.settings')->setAbsolute()->toString(),
-          ]),
-          'severity' => REQUIREMENT_WARNING,
-        ];
-      }
-    }
-
     $module_handler = \Drupal::service('module_handler');
     foreach (MediaType::loadMultiple() as $type) {
       // Load the default display.
diff --git a/modules/media/tests/src/Functional/MediaSettingsTest.php b/modules/media/tests/src/Functional/MediaSettingsTest.php
@@ -29,21 +29,6 @@ protected function setUp(): void {
     ]));
   }
 
-  /**
-   * Tests that media warning appears if oEmbed media types exists.
-   */
-  public function testStatusPage(): void {
-    $assert_session = $this->assertSession();
-
-    $this->drupalGet('admin/reports/status');
-    $assert_session->pageTextNotContains('It is potentially insecure to display oEmbed content in a frame');
-
-    $this->createMediaType('oembed:video');
-
-    $this->drupalGet('admin/reports/status');
-    $assert_session->pageTextContains('It is potentially insecure to display oEmbed content in a frame');
-  }
-
   /**
    * Tests that the media settings form stores a `null` iFrame domain.
    */
