Disabling oneboxes

Hello! Discourse 3 have solution for the old security problems with Onebox? I mean options in the setting to allow generate url preview only for the trust domain like youtube, twitter, vimeo. P

Because without with setting Onebox can show origin IP, it’s gift for the ddos atackers.

Example paste this link: https://maper.info/21TcY1.jpg

And where button in composer with code formatted?

Disabling enable inline onebox on all domains will achieve exactly this. You configure approved domains via the inline_onebox_domain_allowlist site setting.

3 Likes

That is not true, at all.

2 Likes

If your community is one that attracts ddos attacks you need to do several things to keep your ip from leaking via dns, smtp, as well as one boxes and external images (which are downloaded by default).

Unless you have a history of ddos attacks then I would recommend that you worry about almost anything else.

2 Likes