Conversation
supportHi, we are using this plugin on a WordPress site to create H5P content, which is then embedded into our VLE (LMS) at Sunderland Uni. After our WordPress auto-updated to 6.9 overnight, all of our embedded content was broken this morning! Much panic. We have ‘resolved’ by restoring a previous version on WP 6.8.3 and all is working again, but this can only be a short term solution due to security issues. I’ve done over the release notes for 6.9 and cannot see what could have caused this. Any ideas?
We’re having exactly the same issue (UWE Bristol). It looks like the latest WordPress update has applied a specific frame ancestor setting to SELF for the directory wp-admin (while the rest of the site has open frame ancestor setting permissions. This effectively means wp-admin content cannot be embedded, but other parts of our site can (pages/posts etc). As our H5Ps are provided with a URL containing “wp-admin” (and I assume yours are as well?) – they are being blocked from being embedded in our VLE. You can see this happening when you mess around with your browser’s Inspector > Console. I’m guessing this is a WordPress security change to stop people being able to embed wp-admin parts of the site, but it’s obviously stopping our H5Ps from appearing. A major problem! How did you rollback to a previous version of WordPress? I agree, it’s not an ideal solution, but we need to get through today at least with H5Ps accessible to our students. I could be wrong with all this, but it looks to be the case. Hoping a solution can be found quickly. Many thanks!
Hi we used https://wordpress.org/plugins/wp-downgrade/ do make sure you do a backup, however it seemed to do the trick. Thanks
Great – thanks. That’s super useful. Fingers crossed the plugin developers are able to fix the issue their end. Cheers
WordPress 6.9 sets a header: content-security-policy: frame-ancestors 'self'; on the embed urls and elsewhere in WP admin. /wp-admin/admin-ajax.php?action=h5p_embed This prevents embedding in another domain.
Thanks for the info! Is this something which site owners can set / override?
Thanks for letting us know! We are looking to resolve this for the H5P plugin immediately and push an update once it is ready. Best regards, Julius, Product Manager at H5P Group
Hi Julius, fantastic! I’m glad you’re on it. We will hold back for now on doing anything bespoke to CSP pending further information from you. Thank you, Sonya
@sonyauos The new plugin version with the fix is available now. Let me know if you still run into any issues! Best regards, Julius and the H5P team
This looks great @jstang – thanks for updating the plugin! (and apologies for not replying sooner. All looks good)
Hey @jstang – I’ve updated my plugin to the latest version but I’m still getting this issue. The embed code is still showing ..wp-admin.. Is there something else I need to change/amend/update?
We’re having exactly the same issue (UWE Bristol). It looks like the latest WordPress update has applied a specific frame ancestor setting to SELF for the directory wp-admin (while the rest of the site has open frame ancestor setting permissions. This effectively means wp-admin content cannot be embedded, but other parts of our site can (pages/posts etc). As our H5Ps are provided with a URL containing “wp-admin” (and I assume yours are as well?) – they are being blocked from being embedded in our VLE. You can see this happening when you mess around with your browser’s Inspector > Console. I’m guessing this is a WordPress security change to stop people being able to embed wp-admin parts of the site, but it’s obviously stopping our H5Ps from appearing. A major problem! How did you rollback to a previous version of WordPress? I agree, it’s not an ideal solution, but we need to get through today at least with H5Ps accessible to our students. I could be wrong with all this, but it looks to be the case. Hoping a solution can be found quickly. Many thanks!
Hi we used https://wordpress.org/plugins/wp-downgrade/ do make sure you do a backup, however it seemed to do the trick. Thanks
Great – thanks. That’s super useful. Fingers crossed the plugin developers are able to fix the issue their end. Cheers
WordPress 6.9 sets a header: content-security-policy: frame-ancestors 'self'; on the embed urls and elsewhere in WP admin. /wp-admin/admin-ajax.php?action=h5p_embed This prevents embedding in another domain.
Thanks for the info! Is this something which site owners can set / override?
Thanks for letting us know! We are looking to resolve this for the H5P plugin immediately and push an update once it is ready. Best regards, Julius, Product Manager at H5P Group
Hi Julius, fantastic! I’m glad you’re on it. We will hold back for now on doing anything bespoke to CSP pending further information from you. Thank you, Sonya
@sonyauos The new plugin version with the fix is available now. Let me know if you still run into any issues! Best regards, Julius and the H5P team
This looks great @jstang – thanks for updating the plugin! (and apologies for not replying sooner. All looks good)
Hey @jstang – I’ve updated my plugin to the latest version but I’m still getting this issue. The embed code is still showing ..wp-admin.. Is there something else I need to change/amend/update?