Iframe allow attribute not working

santosguillamot · 2. September 2019 um 09:10

I have added a codesandbox iframe with different attributes but Discourse is just getting the src. Should I change something in Discourse Settings? I have already allowed this iframe and it is showing, but not correctly.

This is the iframe I am trying to add:

<iframe 
  src="https://codesandbox.io/embed/codesandbox-frontity-rnclp?fontsize=14" 
  title="Frontity - Post with recompose" 
  allow="geolocation; microphone; camera; midi; vr; accelerometer; gyroscope; payment; ambient-light-sensor; encrypted-media; usb" 
  style="width:100%; height:500px; border:0; border-radius: 4px; overflow:hidden;" 
  sandbox="allow-modals allow-forms allow-popups allow-scripts allow-same-origin"
></iframe>

But it is just rendering this:

Need_to_integrate_react-stripe-elements_-%F0%9F%A4%97_Dev_Talk___Questions-_Frontity_Community_Forum

So the iframe is not showing correctly:

dax · 2. September 2019 um 14:44

It works for me

Just to be sure, did you add the iframe url (https://codesandbox.io/embed/codesandbox-frontity-rnclp) in whitelist? If not, search the site setting allowed iframes.

santosguillamot · 2. September 2019 um 14:56

I have this domain: https://codesandbox.io/. Shouldn’t be enough? I have found this code at Discourse where it whitelists just some iframe attributes:

github.com

discourse/discourse/blob/06d974d55cb44fb3577a98a2d89d93542200fe52/app/assets/javascripts/pretty-text/white-lister.js.es6#L164-L169


      
          "iframe",
          "iframe[frameborder]",
          "iframe[height]",
          "iframe[marginheight]",
          "iframe[marginwidth]",
          "iframe[width]",

If I include the attributes height and weight the iframe works fine, but I would like to allow the other attributes too.

Is there a way of allowing all codesandbox iframes? I thought including just the domain it would work.

Thank you!

EDIT:

I have tried adding this url in whitelist but it is not working neither.

downey · 4. März 2021 um 21:15

I am also running into this problem. I would like to add a class on the IFRAME that I am embedding in my policy privacy post, which embeds the privacy tracking settings from our self-hosted Matomo installation. This would allow me to add a better border and some color to differentiate it from the rest of the privacy policy.

Despite having a class="foo" in my IFRAME element, it is being stripped out, apparently by the white-lister code above. Any chance this could be expanded to have a few more attributes allowed?

Falco · 4. März 2021 um 21:24

For security we are very strict of what HTML attributes can be rendered in our page when they come from user input.

What you can do to get that is:

<div data-my-special-attr="42">
  <iframe src="http://example.com">
</div>

and then target that with your CSS / JS selector:

div[data-my-special-attr="42"] > iframe {
  border-color: pink;
}

downey · 5. März 2021 um 17:17

Thanks! That worked on both the topic page and the rendered privacy policy special page as well.

Of note if anyone else is trying this, you can’t add a class attribute, you literally need to add an attribute along the lines of data-foo-attr.

selfscrum · 30. März 2021 um 20:39

Rafael thanks for the statement, it clarifies my observed behaviour.
I would like to know whether you have any plans of releasing that lock for audio/video attributes of an iframe. Modern browsers manage accessibility quite good for those allowances, and there are increasingly interesting service offerings which would be great to integrate by users but just lack this type of accessibility.
Thanks.

Falco · 30. März 2021 um 20:43

We are always open to feedback!

It gets easier if we talk about specifics, like what are the exact attributes you want allowlisted and for what services they are necessary.

selfscrum · 30. März 2021 um 20:45

ok. I especially think about Jam Systems / Jam · GitLab which would need an allow=“microphone *;” parameter to work properly.

cogdog · 4. November 2021 um 18:57

I am running into same issue attempting to embed an H5P audio recorder; the allow=“microphone *;” option is stripped from the iframe.

What would take to perhaps have an iframe setting to allow allows?

codinghorror · 14. November 2021 um 06:16

Können wir Administratoren erlauben, anzugeben, welche iframe-Attribute sie zulassen möchten?

gilby · 28. Juni 2022 um 22:30

Das wäre nützlich, aber wir wären auch mit dem allow-Attribut zufrieden, das für alle auf die Whitelist gesetzt wird. Wir haben derzeit Probleme mit der Audiowiedergabe bei eingebetteten Apple- und Spotify-Podcast-Playern. Wie andere bereits erwähnt haben, besteht das Problem darin, dass das allow-Attribut entfernt wird, das eine wichtige encrypted-media-Direktive enthält.

Falco · 30. Juni 2022 um 19:48

Da wir bereits streng sind, welche Domains in iframes verwendet werden dürfen, ist eine weitere Einstellung, bei der wir den allow-String für jeden iframe festlegen und das seltsame allow-Inhaltsformat parsen, für mich etwas zu viel.

Ich habe einen PR erstellt, der einfach alles im allow-Attribut für bereits erlaubte iframes zulässt:

Was denkst du, @sam?

sam · 4. Juli 2022 um 07:21

Hmm, ich bin damit einverstanden, ich sehe deine Logik hier, @david, gibt es Einwände?

Falco · 5. Juli 2022 um 18:52

Diese Änderung wurde zusammengeführt @santosguillamot @selfscrum @cogdog @gilby

Thema		Antworten	Aufrufe
Supporting iframe embeds from different domains? Feature	58	23069	30. August 2018
Allowed iframes whitelist not working - 'x-frame-options: SAMEORIGIN' Support	4	872	30. Juni 2022
Iframe issue without URL Support	10	1437	5. Juni 2019
Full screen videos plugin Plugin	2	1520	12. September 2019
Replacement for whitelist-iframe Support	3	1863	27. April 2020

Iframe allow attribute not working

Verwandte Themen