Can we make custom oneboxes?

(Joseph Orbegoso Pea (Joe Pea)) #1

I’d like to embed a jsfiddle in a conversation. How can we do that?

The iframe embed code looks like:

<iframe width="100%" height="300" src="//" allowfullscreen="allowfullscreen" frameborder="0"></iframe>

(Rafael dos Santos Silva) #2

Codepen is whitelisted by default:

Maybe we can test jsfiddle, let me check.

(Sam Saffron) #3

The big thing that needs testing is that there is 0 JS execution prior to a user clicking “run”. We can not risk people setting up JavaScript bombs.

Jsfiddle-like embeds?
(Mittineague) #4

Yes, at SitePoint we onebox codepens, but fiddles are only linked to.

It works well, and so far, AFAIK hasn’t introduced risk.

(Joseph Orbegoso Pea (Joe Pea)) #5

What are those? Something that makes the CPU work 100%?

(Sam Saffron) #6

Well unrestricted JS can lead to an enormous class of issues, leaking confidential info via JSONP, high CPU when you hit a topic, trick users into thinking the page has information on it that is fake, phishing, the sky is the limit.

(Mittineague) #7

For a simple harmless example that is more representative of a common JavaScript newbie mistake than a malicious script, try running this and see how well you like it

for (var i = 0; i < 1000; i++) {

My bet is you close your browser or stop scripts well before it completes.

(Joseph Orbegoso Pea (Joe Pea)) #9

What exactly is different about codepen compared to jsfiddle that makes only codepen embeddable? Can’t both run javascript, and don’t both run in a iframe?

(Rafael dos Santos Silva) #10

(Joseph Orbegoso Pea (Joe Pea)) #11

Testing codepen bomb attempt:

(Joseph Orbegoso Pea (Joe Pea)) #12

Well, apparently codepen iframe embed doesn’t work.

How about HTML:

See the Pen JS Bomb Example by Joseph Orbegoso Pea (@trusktr) on CodePen.

(Joseph Orbegoso Pea (Joe Pea)) #13

Nope. How about URL:

(Rafael dos Santos Silva) #14

Like all oneboxes, you are supposed to paste a link on a line by itself.

And as you can see it doesn’t run until clicked.

(Joseph Orbegoso Pea (Joe Pea)) #15

Interesting, and I don’t see the result (infinite while loop that alerts).

(Rafael dos Santos Silva) #16

It’s blocked by the sandbox for iframes since Chrome 46.

(Joseph Orbegoso Pea (Joe Pea)) #17

If we click “Edit on codepen” then it runs the code for the first time without the infinite loop detection!

(Joseph Orbegoso Pea (Joe Pea)) #18

codepen console.log bomb:

(Rafael dos Santos Silva) #19

But then you are on the codepen website right? What does this has to do with Discourse?

(Joseph Orbegoso Pea (Joe Pea)) #20

Nothing unless the whole browser crashes. x} Probably Chrome won’t crash, but maybe some other browser?

Testing document.write bomb:

(Rafael dos Santos Silva) #21

Use for testing, meta is for discussions.