I have added a codesandbox iframe with different attributes but Discourse is just getting the src. Should I change something in Discourse Settings? I have already allowed this iframe and it is showing, but not correctly.
Despite having a class="foo" in my IFRAME element, it is being stripped out, apparently by the white-lister code above. Any chance this could be expanded to have a few more attributes allowed?
Rafael thanks for the statement, it clarifies my observed behaviour.
I would like to know whether you have any plans of releasing that lock for audio/video attributes of an iframe. Modern browsers manage accessibility quite good for those allowances, and there are increasingly interesting service offerings which would be great to integrate by users but just lack this type of accessibility.
This would be useful, but we’d also be happy with the allow attribute being whitelisted for all. We’re currently running into audio playback issues with embedded Apple and Spotify podcast players. As others have mentioned, the issue is that the allow attribute is being stripped, which contains an important encrypted-media directive.
Since we are already strict about which domains can be used in iframes, having yet another setting where we set the allow string for each iframe and parsing the weird allow content format seems a bit much for me.
I made a PR that simply allows using anything in the allow attribute for already allowed iframes: