Steam links inconsistently oneboxed & editor preview not displaying correctly

Issue:

Taking the following links as an example:

http://store.steampowered.com/app/107410/Arma_3/

http://store.steampowered.com/app/286160/Tabletop_Simulator/

The top link will show up as a normal oneboxed link, while the bottom will show up with the nice custom Steam look. This happens across various links to steam store pages, so if you were to paste a large list you’d have some getting oneboxed one way and some the other. I don’t know of any reason why some links work and some don’t, just from a quick observation.

Additionally, the top link will onebox correctly in the preview pane of the editor, while the bottom link will show up as a large gray square (I think this may have always been a bit wonky, though? - just wanted to mention it).

As a note, I don’t think the steam store apps used to include the name of the game at the end, but it doesn’t seem to make a difference either way that they’re there.

Looking at the rendered HTML for your post, you can see that the first link is being rendered as a regular ol’ onebox, while the latter is being included wholesale in an iframe. The class on the <aside> is whitelistedgeneric, which is what the onebox gem uses when it can’t figure out what else to do with a page that has oEmbed/OpenGraph tags.

Now, where this gets really interesting is that, if I call onebox directly, everything works:

>> Onebox.preview('http://store.steampowered.com/app/107410/Arma_3/').to_s
=> "          <iframe src=\"https://store.steampowered.com/widget/107410\" frameborder=\"0\" width=\"100%\" height=\"190\" seamless=\"seamless\" sandbox=\"allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox\">\n          </iframe>\n"
>> Onebox.preview('http://store.steampowered.com/app/286160/Tabletop_Simulator/').to_s
=> "          <iframe src=\"https://store.steampowered.com/widget/286160\" frameborder=\"0\" width=\"100%\" height=\"190\" seamless=\"seamless\" sandbox=\"allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox\">\n          </iframe>\n"

That’s with both the latest git code, and what I think is the release running in Discourse at the moment (1.8.8; the git repo doesn’t consistently have release tags, so I’m kinda flying blind a bit).

So… this looks like it is a Discourse-specific problem, somehow. I can reproduce the problem on try, which is heartening. However, running the code on meta, behind the scenes, works as expected:

$ ./mothership console meta
[1] pry(main)> Onebox.preview('http://store.steampowered.com/app/107410/Arma_3/').to_s
=> "          <iframe src=\"https://store.steampowered.com/widget/107410\" frameborder=\"0\" width=\"100%\" height=\"190\" seamless=\"seamless\" sandbox=\"allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox\">\n" +
"          </iframe>\n"
[2] pry(main)> Onebox.preview('http://store.steampowered.com/app/286160/Tabletop_Simulator/').to_s
=> "          <iframe src=\"https://store.steampowered.com/widget/286160\" frameborder=\"0\" width=\"100%\" height=\"190\" seamless=\"seamless\" sandbox=\"allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox\">\n" +
"          </iframe>\n"

It’s at this point I’m going to stop, because my appetite for mysteries has been satiated. I call upon someone else on the @team to take up utensils!

@eviltrout maybe have a look at this, its a bit odd.

It’s another issue with our SSRF protection that follows redirects. In this case, we try to follow redirects on Steam URLs, and some pages are age restricted. Tabletop Simulator is an all ages game but Arma 3 requires you to be 18 to view.

The solution was to add a list of sites to “avoid redirects” from with steam in it for now. It works again (but previous versions will need to be re-baked.)

https://github.com/discourse/discourse/commit/db485ae0da9391b7e4cac573d992f4d0ea2ab7e4

Confirmed working on my site now.

Thanks!