Rich onebox stopped working

I noticed the onebox for my website stopped working on the discourse forum I am visiting. It was working in 1.8.x but now the forum has been updated to 1.9.3 and my oneboxes are no longer working. I checked on try.discource.org and it is the same. The onebox urls look like this:

My website returns following oembed

{
  "version":"1.0",
  "type":"rich",
  "width":600,
  "height":400,
  "title":"metr",
  "html":"<iframe src=\"https://metr.at/r/CF1go?oembed=true\" width=\"600\" height=\"400\"
    frameborder=\"0\"></iframe>",
  "provider_name":"metr.at",
  "provider_url":"https://metr.at"
}

I went through commit history in onebox github and found 407fd0b8d6d41956e2400efc1918ace255aecd37 “Security: sandbox iframes, add rel to abs anchors”

Can it be that my onebox fails because of iframe and security? Is there something I can do?

I suspect that it is the iframe. Can you remove it?

I can not remove the iframe because the whole onebox is the iframe. If I remove it, there will be nothing left.

2 Likes

Discourse 1.8 uses onebox 1.8.12 and the commit you referenced was already part of that version. So, it must be something else. If your problem is caused by changes to the onebox gem, it should be one of the 79 commits: https://github.com/discourse/onebox/compare/e9164ee70186f87d2f2197de37a3a43f1274a060...master

5 Likes

iframely is totally happy by the way http://iframely.com/debug?uri=https%3A%2F%2Fmetr.at%2Fr%2FCF1go

I think I found the problem

https://github.com/discourse/discourse/commit/d6b22e6cc1b19a5279774fbe3a0138caca7918ea

do I understand right, the iframe will not be oneboxed unless whitelisted in the forum settings?

3 Likes

That’s exactly right :+1:

4 Likes