Onebox Iframe/Cookies e.g. Vimeo (GDPR)

I totally like the QoL oneboxes bring to the Discourse users. However, i stumbled upon the following ‘issue’:

  • While Youtube for example is embedded via LazyYT and therefore doesn’t load the iframe and attached cookies until the users presses play, this functionally seems to be absent for every other player onebox.
  • Vimeo for example loads the entire iframe, player and cookies on page load

Therefore my question: Is it planned to replicate the LazyYT functionality on other oneboxes like Vimeo or how would be the best way to go about it on my own. I am aware that i am able to simply blacklist Vimeo and the like which only should be my last resort, though.

I know it is debatable if this is necessary to comply with GDPR, but nonetheless I think better control over embedded 3rd party content would be worthwhile as the LazyYT example shows to some extent.


I know we are all dealing with lots of GDPR edge cases, but not sure what the Iframe risk is? AFAIK Iframe cannot access parent cookies?

I may be wrong of course…


As I see it every of those iframes transfers IP, and load third-party non-essential cookies for every user (also not registered ones) before they are able to agree with that.

Apart from that especially topics with multiple embeds could run into performance issues when for example 10 players are loading at the same time.

LazyYT does it pretty fine I think, and Preview in post creation. (Option for a 3rd party hint on top of the preview image could be helpful, too)


I’ve noticed a few European websites now let the user decide whether they want to see embedded content. This is especially useful for sites that are known to follow you around the web and build a profile even if you haven’t signed up with them. I’d like to give community members that kind of control over their privacy.

:white_check_mark: show content from Facebook

Something like this near every embed or in the user preferences might be too much for some, though. A more seamless alternative could be Embetty:


Have you found a solution to implement this in Discourse? I would also be interested in it.

No, I haven’t tried because of a severe lack of skills.

1 Like

Maybe a first simple step would be to implement a general option in the user settings to enable/disable 3rd party content, activating/deactivating the onebox feature on a per user base?

We are also craving for an option like this, but are not really able to implement it.


Unfortunately that is not enough. As anonymous traffic falls also under GDPR.

This is what most websites do currently in the EU:

Before clicking the switch:

After clicking the switch:

1 Like