Allow sub-domains from blocked domain to onebox

On a site I help run, we’ve recently found that a certain site fails to onebox (becomes a large empty space). We would have just blocked the domain from oneboxing, but that breaks oneboxing the forum hosted at a sub-domain of that site. Is it possible for us to allow the sub-domains to onebox without allowing the top domain to onebox?


For example, this main-site onebox fails (

But the subdomain (Discourse) is fine (


unfortunately i don’t think that is possible as per this topic

There seems to be something off with the link that creates the giant blank space. In the preview I notice it tries to give a big ‘Replit’ logo image. Could it be that the image used on those type of pages is breaking the onebox? Sorting that out may help them resolve nicely.

1 Like

There’s a specific script for Replit oneboxes:

When we paste a Replit link, the composer shows the expected result:

When the post is processed, the link is transformed into an empty iframe.

<iframe width="695" height="521" frameborder="0" data-unsanitized-src="" seamless="seamless" sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-presentation">

I don’t know if the issue comes from Replit or from the onebox script. I’d guess it’s the script, but I’m no coder :slight_smile:

The link has proper opengraph tags, though: Sharing Debugger - Meta for Developers


I actually got it to work so that Discourse would not onebox but would onebox For some reason that only worked once though. After that it just blocked all oneboxing on both domains. Odd.

I help run the same forum as Firepup

After explicitly allowing Replit iframes, the following iframe code (Which seems similar to what @Canapin posted) works fine:

<iframe frameborder="0" width="500px" height="500px" src=""></iframe>

Manual testing confirms that this specific part of the iframe is the issue. Changing it to just src works as expected (See third post on this topic)