Control user(s): ability to use / access to <iframe> - how?

Hi guys.

Is it possible to control, to allow / deny, a given (specific) user ability to use iframe (for embedded videos, most obviously).

adding this, passed a while as I re-read myself. The least would be - if technically a burden of such size that almost impossible, then do it as staff VS everybody else or perhaps per trust level

And since I’m a complete novice - that same/similar question would apply to other aspects of user “powers” within Discourse. Is there a man page(s) which covers those bits?

I created a theme component that finds strava and garmin one-boxes and replaces them with iframes. If you have a fixed number of video sites you want to support, a similar solution might work:

1 Like

@pfaffman Are you sure that your reply has anything to do with my question?

I’m simply asking if with “regular” means of management, in Discourse, it is possible to dis/allow use (or digestion or rendering or whatever tech term is most appropriate) of iframe (or onebox or whatever the term/technique is called)

If you meant in the reply, that there is a code which one could re-purpose that way - then it’s not for me nor the likes of me, not a web dev.

But if @devel read here - only started to use Discourse but having many long years as an admin of whole lot of things, I wonder:

  • how do you, did you decide on that “philosophical” aspect of user “freedom” to include any content (say, sticking to video purely for this)?

I my mind, thing as critical as embedded video content — which even hosts/providers of cannot 100% control themselves, the content of it — should(must) be finely controlled (as all different computer systems I know treat any such/similar critical feature) on per user/group basis.

So, I’d like tu submit, as a suggestion, as a future enhancement — if Discourse has not contemplated that yet, if no ability for such control in Discourse exists as of today — to include such “hardening” mechanism/technique possibly in near future. I believe many will be grateful for great soft-solution - which Discourse obviously is already - made even better.

1 Like

By default, Discourse does not allow users to insert most iframe elements into posts. This is controlled by the allowed iframes site setting. That setting accepts a list of src domains of iframes that are allowed to be added to posts.

There is no way to control which iframes can be added based on a user’s permissions though - there isn’t a staff allowed iframes setting.

For most cases, Discourse handles embedding external content with “oneboxes.” This allows users to insert links into a post. In some cases, Discourse then converts these links to iframes. For example, if a link to a Youtube video is added to its own line in the post editor, it’s converted to a video element that’s displayed in an iframe. There are a limited number of domains that Discourse handles in this way. For example, Vimeo, Youtube.

You can limit which domains get iframe oneboxes with the allowed onebox iframes site setting. The default value of this setting is *. If you want to limit this, click on the dropdown input that’s displayed below that setting. It lets you select specific domains from the list of domains that Discourse is configured to onebox as iframes.


To complement the answer by @simon and addressing this specific point, you can set max oneboxes per post to 0 to disable oneboxing as a whole, which will also disable content like videos from Youtube and Vimeo.


If that param/value could be complemented & overridden by a ‘for/per user value’ - again, perhaps in future devel/releases - then many will appreciate greatly I’m sure. Thanks.

It does not seem to work for me. I set to 0 yet users created posts with iframes do show up as expected, with a frame/player & do play okey.
Would there be another param/option which overrides this?
Also, how to understand * allowed iframes* in this context?

The max oneboxes per post setting controls the number of oneboxes that can be added to a post. The terminology could be confusing here, but a “onebox” is the way that Discourse handles links from a variety of sources. For example, if the link from the browser’s address bar for a Youtube or Vimeo video is added to a line of its own in a post, Discourse will generate a onebox video player for the link.

If you set max oneboxes per post to 0, users will not be able to create these types of oneboxes.

I think what you are finding is that the setting does not prevent users from adding iframe elements to posts. To prevent users from adding iframes to posts, remove any of the iframe sources that are listed in your site’s allowed iframes site setting. Here are that setting’s default values:

@simon - okey, thanks. That seems to be the case, yes, I think I better understand now what happens there - if iframe exists for an URI then max oneboxes per post = 0 means nothing to iframes
Yes, nomenclature &| description there could be improved, to help newcomers.

To reiterate - it’s not possible to allow onebox &| iframe only to admins/moderators, correct?

I think Simon answered this already.

1 Like

@Lilly can you/devel make it feature request for future releases - thanks. I’m sure Discourse enhanced, enforced this way many! will appreciate.

How many users do you have that have actually requested this? You can make this feature request yourself if you want.

It is not users, it’s me as an admin - I laid out my rationale best I could a few posts back.