As discovered when helping @JoeGermuska debug StoryMap, and via this comment in the WP oEmbed class:

Since WordPress 4.4, oEmbed discovery is enabled for all users and allows embedding of sanitized iframes. The providers in this list are whitelisted, meaning they are trusted and allowed to embed any content, such as iframes, videos, JavaScript, and arbitrary HTML.

Here's what seems to happen.

1. Since WP 4.4, all URLs entered on their own lines are fetched looking for oEmbed endpoint discoverability tags, and those oEmbed endpoints then fetched.
2. If the endpoint returns an iframe, it is sanitized (security="restricted" sandbox="allow-scripts" added) and used.
3. If not an iframe, then the response is discarded, unless the resource is whitelisted or you've registered the provider with a plugin.

Need to investigate and confirm the above, and then decide what changes (if any) to make, both here and on the platform. Questions:

• Is the above description true?
• Does the response need to be a bare iframe, or will WP pluck out an iframe nested in other HTML?
• What strictures does security="restricted" sandbox="allow-scripts" put on us?

My current hypothesis is that this will happen:

1. While we don't return an iframe, WP 4.4+ non-plugin users will get nothing.
2. If we return an iframe, WP 4.4+ non-plugin users will get the bare iframe with those security/sandbox attributes added.
3. Plugin users will continue to get the complete oEmbed endpoint.