Iframe allow attribute not working

I have added a codesandbox iframe with different attributes but Discourse is just getting the src. Should I change something in Discourse Settings? I have already allowed this iframe and it is showing, but not correctly.

This is the iframe I am trying to add:

<iframe 
  src="https://codesandbox.io/embed/codesandbox-frontity-rnclp?fontsize=14" 
  title="Frontity - Post with recompose" 
  allow="geolocation; microphone; camera; midi; vr; accelerometer; gyroscope; payment; ambient-light-sensor; encrypted-media; usb" 
  style="width:100%; height:500px; border:0; border-radius: 4px; overflow:hidden;" 
  sandbox="allow-modals allow-forms allow-popups allow-scripts allow-same-origin"
></iframe>

But it is just rendering this:

So the iframe is not showing correctly:

It works for me

image.png1268×70 6.02 KB

Just to be sure, did you add the iframe url (https://codesandbox.io/embed/codesandbox-frontity-rnclp) in whitelist? If not, search the site setting allowed iframes.

I have this domain: https://codesandbox.io/. Shouldn’t be enough? I have found this code at Discourse where it whitelists just some iframe attributes:

If I include the attributes height and weight the iframe works fine, but I would like to allow the other attributes too.

Is there a way of allowing all codesandbox iframes? I thought including just the domain it would work.

Thank you!

EDIT:

I have tried adding this url in whitelist but it is not working neither.

I am also running into this problem. I would like to add a class on the IFRAME that I am embedding in my policy privacy post, which embeds the privacy tracking settings from our self-hosted Matomo installation. This would allow me to add a better border and some color to differentiate it from the rest of the privacy policy.

Despite having a class="foo" in my IFRAME element, it is being stripped out, apparently by the white-lister code above. Any chance this could be expanded to have a few more attributes allowed?

For security we are very strict of what HTML attributes can be rendered in our page when they come from user input.

What you can do to get that is:

<div data-my-special-attr="42">
  <iframe src="http://example.com">
</div>

and then target that with your CSS / JS selector:

div[data-my-special-attr="42"] > iframe {
  border-color: pink;
}

Thanks! That worked on both the topic page and the rendered privacy policy special page as well.

Of note if anyone else is trying this, you can’t add a class attribute, you literally need to add an attribute along the lines of data-foo-attr.

Rafael thanks for the statement, it clarifies my observed behaviour.
I would like to know whether you have any plans of releasing that lock for audio/video attributes of an iframe. Modern browsers manage accessibility quite good for those allowances, and there are increasingly interesting service offerings which would be great to integrate by users but just lack this type of accessibility.
Thanks.

We are always open to feedback!

It gets easier if we talk about specifics, like what are the exact attributes you want allowlisted and for what services they are necessary.

ok. I especially think about Jam Systems / Jam · GitLab which would need an allow=“microphone *;” parameter to work properly.

I am running into same issue attempting to embed an H5P audio recorder; the allow=“microphone *;” option is stripped from the iframe.

What would take to perhaps have an iframe setting to allow allows?

我们能否允许管理员指定他们想要允许的 iframe 属性？

这会很有用，但我们也乐于看到 allow 属性被列入所有内容的白名单。我们目前在使用嵌入式 Apple 和 Spotify 播客播放器时遇到音频播放问题。正如其他人提到的，问题在于 allow 属性被剥离了，而该属性包含一个重要的 encrypted-media 指令。

鉴于我们已经严格限制了可以在 iframe 中使用的域名，再增加一个设置，让我们为每个 iframe 设置 allow 字符串并解析奇怪的 allow 内容格式，对我来说似乎有点过了。

我做了一个 PR，它只是允许在已允许的 iframe 中使用 allow 属性中的任何内容：

你怎么看 @sam？

嗯，我想我没意见，我明白你的逻辑了，@david 有什么异议吗？

此更改已合并 @santosguillamot @selfscrum @cogdog @gilby