Iframe onebox has stopped working

I’ve set up one of our organisation’s systems to provide a onebox using this HTML tag

As an example: on the page https://domain.here/2345, I have this tag:

<link rel="alternate" type="application/json+oembed" href="https://domain.here/2345/oembed_json/" title="Onebox Embed">

https://domain.here/2345/oembed_json/ then provides

{"version": "1.0", "type": "rich", "html": "\u003ciframe src=\"https://domain.here/2345/embed/\" frameborder=\"0\" width=\"100%\" height=\"250\"\u003e\u003c/iframe\u003e"}

This used to work great, but has stopped working in the last few weeks (not sure exactly when). Currently on the latest version of Discourse, and I can reproduce the issue on meta. Oembed shows up fine on http://iframely.com/debug

I’d rather not make the URL to the actual system public, but can PM it to someone if that would help.

Any chances you could share one example? Even via a PM is fine.


I’ve setup a very simple example which displays the same issue. This URL should be oneboxing and becoming an iframe:



Works fine on the iframely debug tool and used to work fine on Discourse until about a month ago. Any ideas on what I can do to get this working again?

	<title>Test Page to be embedded</title>
	<link rel="alternate" type="application/json+oembed" href="http://discourse-test.taylorhq.co.uk/oembed_json.json" title="Embed JSON">
    This is a web page which has an application/json+oembed tag linking to <a href="http://discourse-  test.taylorhq.co.uk/oembed_json.json">Here</a>
   "html":"\u003ciframe src=\"http://discourse-test.taylorhq.co.uk/embed.html\" frameborder=\"0\" width=\"100%\" height=\"250\"\u003e\u003c/iframe\u003e",
	<title>Test Page</title>
This is the page that should be displayed in the iframe

I don’t think we support arbitrary embeds like that. The proper opengraph or oembed should have title, summary, image etc fields.

There are references to “rich” embeds with iframes in the “generic” onebox:


I believe the “whitelist” got removed fairly recently… could that be the issue? My site is no longer whitelisted?

I don’t think so. AFAIK the approach was changed from “don’t onebox unless whitelisted” to “onebox all the things unless blacklisted”
Conditional upon the “thing” being oneboxable of course.

1 Like

I’ve finally tracked down the cause of this. It broke on 6th Jan, after this commit by @zogstrip


My iframe already has a fixed height, defined in pixels like this

<iframe src="http://discourse-test.taylorhq.co.uk/embed.html" frameborder="0" width="100%" height="250"> </iframe>

The commit above added checks that data[:height] exists before accepting a ‘rich’ onebox… however, it’s not pulling that height from the parsed HTML, it’s trying to get it from the oembed JSON file. @zogstrip is this expected behaviour? Should I be defining the height of the iframe in the oembed JSON?


Are we all good on this now?


It’s weird looking back on support requests from before I joined the team :joy:

What I said above is still true. You need to explicitly specify a height for the iframe in the oembed json. You now also need to add the iframe domain to the whitelist in site settings (In March 2017 this was not required). In summary, onebox doesn’t really support the “rich oembed” specification too well.

Even in the spec, they have security concerns

Consumers may wish to load the HTML in an off-domain iframe to avoid XSS vulnerabilities.

Given the lack of sites actually using rich oembed, I think it’s fine to leave things as-is.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.