Iframe allow attribute not working

santosguillamot · September 2, 2019, 9:10am

I have added a codesandbox iframe with different attributes but Discourse is just getting the src. Should I change something in Discourse Settings? I have already allowed this iframe and it is showing, but not correctly.

This is the iframe I am trying to add:

<iframe 
  src="https://codesandbox.io/embed/codesandbox-frontity-rnclp?fontsize=14" 
  title="Frontity - Post with recompose" 
  allow="geolocation; microphone; camera; midi; vr; accelerometer; gyroscope; payment; ambient-light-sensor; encrypted-media; usb" 
  style="width:100%; height:500px; border:0; border-radius: 4px; overflow:hidden;" 
  sandbox="allow-modals allow-forms allow-popups allow-scripts allow-same-origin"
></iframe>

But it is just rendering this:

Need_to_integrate_react-stripe-elements_-%F0%9F%A4%97_Dev_Talk___Questions-_Frontity_Community_Forum

So the iframe is not showing correctly:

dax · September 2, 2019, 2:44pm

It works for me

Just to be sure, did you add the iframe url (https://codesandbox.io/embed/codesandbox-frontity-rnclp) in whitelist? If not, search the site setting allowed iframes.

santosguillamot · September 2, 2019, 2:56pm

I have this domain: https://codesandbox.io/. Shouldn’t be enough? I have found this code at Discourse where it whitelists just some iframe attributes:

github.com

discourse/discourse/blob/06d974d55cb44fb3577a98a2d89d93542200fe52/app/assets/javascripts/pretty-text/white-lister.js.es6#L164-L169


      
          "iframe",
          "iframe[frameborder]",
          "iframe[height]",
          "iframe[marginheight]",
          "iframe[marginwidth]",
          "iframe[width]",

If I include the attributes height and weight the iframe works fine, but I would like to allow the other attributes too.

Is there a way of allowing all codesandbox iframes? I thought including just the domain it would work.

Thank you!

EDIT:

I have tried adding this url in whitelist but it is not working neither.

downey · March 4, 2021, 9:15pm

I am also running into this problem. I would like to add a class on the IFRAME that I am embedding in my policy privacy post, which embeds the privacy tracking settings from our self-hosted Matomo installation. This would allow me to add a better border and some color to differentiate it from the rest of the privacy policy.

Despite having a class="foo" in my IFRAME element, it is being stripped out, apparently by the white-lister code above. Any chance this could be expanded to have a few more attributes allowed?

Falco · March 4, 2021, 9:24pm

For security we are very strict of what HTML attributes can be rendered in our page when they come from user input.

What you can do to get that is:

<div data-my-special-attr="42">
  <iframe src="http://example.com">
</div>

and then target that with your CSS / JS selector:

div[data-my-special-attr="42"] > iframe {
  border-color: pink;
}

downey · March 5, 2021, 5:17pm

Thanks! That worked on both the topic page and the rendered privacy policy special page as well.

Of note if anyone else is trying this, you can’t add a class attribute, you literally need to add an attribute along the lines of data-foo-attr.

selfscrum · March 30, 2021, 8:39pm

Rafael thanks for the statement, it clarifies my observed behaviour.
I would like to know whether you have any plans of releasing that lock for audio/video attributes of an iframe. Modern browsers manage accessibility quite good for those allowances, and there are increasingly interesting service offerings which would be great to integrate by users but just lack this type of accessibility.
Thanks.

Falco · March 30, 2021, 8:43pm

We are always open to feedback!

It gets easier if we talk about specifics, like what are the exact attributes you want allowlisted and for what services they are necessary.

selfscrum · March 30, 2021, 8:45pm

ok. I especially think about Jam Systems / Jam · GitLab which would need an allow=“microphone *;” parameter to work properly.

cogdog · November 4, 2021, 6:57pm

I am running into same issue attempting to embed an H5P audio recorder; the allow=“microphone *;” option is stripped from the iframe.

What would take to perhaps have an iframe setting to allow allows?

codinghorror · November 14, 2021, 6:16am

Can we allow admins to specify which iframe attributes they want allowlisted?

gilby · June 28, 2022, 10:30pm

This would be useful, but we’d also be happy with the allow attribute being whitelisted for all. We’re currently running into audio playback issues with embedded Apple and Spotify podcast players. As others have mentioned, the issue is that the allow attribute is being stripped, which contains an important encrypted-media directive.

Falco · June 30, 2022, 7:48pm

Since we are already strict about which domains can be used in iframes, having yet another setting where we set the allow string for each iframe and parsing the weird allow content format seems a bit much for me.

I made a PR that simply allows using anything in the allow attribute for already allowed iframes:

What do you think @sam ?

sam · July 4, 2022, 7:21am

Hmm, I guess I am OK with this, I see your logic here, @david any objections?

Falco · July 5, 2022, 6:52pm

This changed was merged @santosguillamot @selfscrum @cogdog @gilby

Topic		Replies	Views
Iframe issue without URL Support	10	1385	June 5, 2019
Discourse not shown in iframe Support unsupported-install	30	8258	April 26, 2021
Whitelist, allowed iframe Feature	11	6454	September 27, 2018
[regression] iframe embedding broken with allowed src domain Support	18	66	October 24, 2024
Support embedding Discourse in an iframe Feature embedding	15	7717	April 19, 2024

Iframe allow attribute not working

Related topics