Can we make custom oneboxes?

trusktr · October 12, 2016, 8:01pm

I’d like to embed a jsfiddle in a conversation. How can we do that?

The iframe embed code looks like:

<iframe width="100%" height="300" src="//jsfiddle.net/trusktr/32cnvse3/embedded/" allowfullscreen="allowfullscreen" frameborder="0"></iframe>

Falco · October 12, 2016, 8:05pm

Codepen is whitelisted by default:

http://codepen.io/jarrodthibodeau/pen/EgPVpV

Maybe we can test jsfiddle, let me check.

sam · October 12, 2016, 11:30pm

The big thing that needs testing is that there is 0 JS execution prior to a user clicking “run”. We can not risk people setting up JavaScript bombs.

Mittineague · October 12, 2016, 11:57pm

Yes, at SitePoint we onebox codepens, but fiddles are only linked to.

It works well, and so far, AFAIK hasn’t introduced risk.

trusktr · October 13, 2016, 7:23am

What are those? Something that makes the CPU work 100%?

sam · October 13, 2016, 9:10am

Well unrestricted JS can lead to an enormous class of issues, leaking confidential info via JSONP, high CPU when you hit a topic, trick users into thinking the page has information on it that is fake, phishing, the sky is the limit.

Mittineague · October 13, 2016, 3:32pm

For a simple harmless example that is more representative of a common JavaScript newbie mistake than a malicious script, try running this and see how well you like it

for (var i = 0; i < 1000; i++) {
 alert(i);
}

My bet is you close your browser or stop scripts well before it completes.

trusktr · May 25, 2017, 6:20pm

What exactly is different about codepen compared to jsfiddle that makes only codepen embeddable? Can’t both run javascript, and don’t both run in a iframe?

Falco · May 25, 2017, 6:24pm

trusktr · May 25, 2017, 6:26pm

Testing codepen bomb attempt:

trusktr · May 25, 2017, 6:26pm

Well, apparently codepen iframe embed doesn’t work.

How about HTML:

See the Pen JS Bomb Example by Joseph Orbegoso Pea (@trusktr) on CodePen.

trusktr · May 25, 2017, 6:27pm

Nope. How about URL:

https://codepen.io/trusktr/pen/JNzzKQ

Falco · May 25, 2017, 6:28pm

Like all oneboxes, you are supposed to paste a link on a line by itself.

And as you can see it doesn’t run until clicked.

trusktr · May 25, 2017, 6:29pm

Interesting, and I don’t see the result (infinite while loop that alerts).

Falco · May 25, 2017, 6:31pm

It’s blocked by the sandbox for iframes since Chrome 46.

trusktr · May 25, 2017, 6:33pm

If we click “Edit on codepen” then it runs the code for the first time without the infinite loop detection!

trusktr · May 25, 2017, 6:35pm

codepen console.log bomb:

https://codepen.io/trusktr/pen/oWVVqb

Falco · May 25, 2017, 6:36pm

But then you are on the codepen website right? What does this has to do with Discourse?

trusktr · May 25, 2017, 6:38pm

Nothing unless the whole browser crashes. x} Probably Chrome won’t crash, but maybe some other browser?

Testing document.write bomb:

https://codepen.io/trusktr/pen/WjmmJJ

Falco · May 25, 2017, 6:38pm

Use try.discourse.org for testing, meta is for discussions.

Topic		Replies	Views
Jsfiddle-like embeds? feature	8	2793	March 20, 2017
Embedding pens from CodePen feature	66	15106	August 18, 2022
CodePen is no longer oneboxing? support	4	708	July 28, 2019
Shadowboxes for IFRAMEs support	11	1836	December 26, 2020
Iframe onebox has stopped working support	10	1649	June 12, 2019

Can we make custom oneboxes?

Related Topics