Can we make custom oneboxes?

I’d like to embed a jsfiddle in a conversation. How can we do that?

The iframe embed code looks like:

<iframe width="100%" height="300" src="//" allowfullscreen="allowfullscreen" frameborder="0"></iframe>

Codepen is whitelisted by default:

Maybe we can test jsfiddle, let me check.


The big thing that needs testing is that there is 0 JS execution prior to a user clicking “run”. We can not risk people setting up JavaScript bombs.


Yes, at SitePoint we onebox codepens, but fiddles are only linked to.

It works well, and so far, AFAIK hasn’t introduced risk.

1 Like

What are those? Something that makes the CPU work 100%?

Well unrestricted JS can lead to an enormous class of issues, leaking confidential info via JSONP, high CPU when you hit a topic, trick users into thinking the page has information on it that is fake, phishing, the sky is the limit.


For a simple harmless example that is more representative of a common JavaScript newbie mistake than a malicious script, try running this and see how well you like it

for (var i = 0; i < 1000; i++) {

My bet is you close your browser or stop scripts well before it completes.


What exactly is different about codepen compared to jsfiddle that makes only codepen embeddable? Can’t both run javascript, and don’t both run in a iframe?

1 Like

Testing codepen bomb attempt:

Well, apparently codepen iframe embed doesn’t work.

How about HTML:

See the Pen JS Bomb Example by Joseph Orbegoso Pea (@trusktr) on CodePen.

Nope. How about URL:

Like all oneboxes, you are supposed to paste a link on a line by itself.

And as you can see it doesn’t run until clicked.

1 Like

Interesting, and I don’t see the result (infinite while loop that alerts).

It’s blocked by the sandbox for iframes since Chrome 46.

If we click “Edit on codepen” then it runs the code for the first time without the infinite loop detection!

codepen console.log bomb:

But then you are on the codepen website right? What does this has to do with Discourse?

Nothing unless the whole browser crashes. x} Probably Chrome won’t crash, but maybe some other browser?

Testing document.write bomb:

Use for testing, meta is for discussions.