Allow sub-domains from blocked domain to onebox

Firepup650 · June 17, 2023, 1:59pm

On a site I help run, we’ve recently found that a certain site fails to onebox (becomes a large empty space). We would have just blocked the domain from oneboxing, but that breaks oneboxing the forum hosted at a sub-domain of that site. Is it possible for us to allow the sub-domains to onebox without allowing the top domain to onebox?

Firepup650 · June 18, 2023, 9:33pm

For example, this main-site onebox fails (https://replit.com/@Firepup650/Yeehaw):

But the subdomain (Discourse) is fine (https://ask.replit.com/t/my-intro-i-guess/20705):

Lilly · June 19, 2023, 8:18pm

unfortunately i don’t think that is possible as per this topic

JammyDodger · June 19, 2023, 8:50pm

There seems to be something off with the link that creates the giant blank space. In the preview I notice it tries to give a big ‘Replit’ logo image. Could it be that the image used on those type of pages is breaking the onebox? Sorting that out may help them resolve nicely.

Canapin · July 3, 2023, 12:06pm

There’s a specific script for Replit oneboxes:

github.com

discourse/discourse/blob/7a204e754c17d1e8229bb782c17f450813c201ec/lib/onebox/engine/replit_onebox.rb

# frozen_string_literal: true

module Onebox
  module Engine
    class ReplitOnebox
      include Engine
      include StandardEmbed

      matches_regexp(%r{^https?://(replit\.com|repl\.it)/.+})
      always_https

      def placeholder_html
        oembed = get_oembed

        <<-HTML
          <img src="#{oembed.thumbnail_url}" style="max-width: #{oembed.width}px; max-height: #{oembed.height}px;" #{oembed.title_attr}>
        HTML
      end

      def to_html

This file has been truncated. show original

When we paste a Replit link, the composer shows the expected result:

When the post is processed, the link is transformed into an empty iframe.

<iframe width="695" height="521" frameborder="0" data-unsanitized-src="https://replit.com/@Firepup650/Yeehaw?embed=true" seamless="seamless" sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-presentation">
#document
  <html>
    <head></head>
    <body></body>
  </html>
</iframe>

I don’t know if the issue comes from Replit or from the onebox script. I’d guess it’s the script, but I’m no coder

The link has proper opengraph tags, though: Sharing Debugger - Meta for Developers

anon44628144 · October 13, 2023, 7:32pm

I actually got it to work so that Discourse would not onebox replit.com but would onebox ask.replit.com. For some reason that only worked once though. After that it just blocked all oneboxing on both domains. Odd.

I help run the same forum as Firepup

Firepup650 · October 13, 2023, 7:36pm

After explicitly allowing Replit iframes, the following iframe code (Which seems similar to what @Canapin posted) works fine:

<iframe frameborder="0" width="500px" height="500px" src="https://replit.com/@Firepup650/Yeehaw?embed=true"></iframe>

Firepup650 · October 13, 2023, 8:48pm

Manual testing confirms that this specific part of the iframe is the issue. Changing it to just src works as expected (See third post on this topic)

Topic		Replies	Views
Iframe onebox has stopped working Support	10	1702	June 12, 2019
Attention Onebox experts: Help requested resizing an iFrame embedded via oEmbed Dev	22	3314	July 27, 2017
Github onebox broken for some link types Feature	6	1746	February 20, 2017
"blocked onebox domains" setting not respected Bug	16	1213	March 14, 2022
Mixcloud Embeds have stopped working Support	17	1731	October 27, 2022

Allow sub-domains from blocked domain to onebox

Related topics