Supporting iframe embeds from different domains?

I added Google Books to the list using

whiteListIframe(/^(https?:)?\/\/books.google\.[a-z]{2,3}\/.+&output=embed.*/i);

and it works. But it’s not perfect yet because it is not strictly limited to real google TLDs, which is a security issue. With the domains included by default, this has been solved by limiting them to the .com TLD. But at least in the case of Youtube this is too narrow.

I am not a RegEx expert and was not able to figure out how to specify a list of allowed TLDs. Anyone?

Simply replacing [a-z]{2,3} with something like (com|de|org) should work :slight_smile:

4 Likes

Well except for many other TLDs like .community and the like…

Sorry, I don’t understand. As far as I understood, @tophee was looking for a way to restrict the fuzzy match above to a concrete list of TLDs. google.community doesn’t appear to resolve to anything, but if @tophee wants to whitelist it anyways, adding it to the list like (com|de|org|community) should work, right?

3 Likes

Yes. BTW, does anyone know where to find a complete list of all TLDs used by a service such as YouTube or Google Books?

Sure just reminding people that .com isn’t the only TLD any more… there are zillions of them and I’m not just talking about .co.uk either!

Hi! I’m using this plugin to embed a go board on my forum, but the iframe size is too small.
Is there any way to change its size?

You can see a test on:
http://mrbaduk.com/t/test-gokibitz-iframe/75

The embed link is:
<iframe id="gokibitz-rkfMsvdbW" src="//gokibitz.com/kifu/rkfMsvdbW" style="width: 100%; min-height: 500px; display: block; border: 10px solid snow;"></iframe> <script src="//gokibitz.com/embed/rkfMsvdbW"></script>

Yes. You can’t use a style attribute - it gets stripped out by Discourse. Also, the script tag will be stripped out. You don’t need it for displaying the iframe.

The height has to be set to a fixed number. I think the only attributes you can use are width, height, and frameborder. Try something like:

<iframe src="//gokibitz.com/kifu/rkfMsvdbW"  width="100%" height="800"  frameborder="0"></iframe>
3 Likes

To answer my own question, here seems to be a good place to look:

https://en.wikipedia.org/wiki/List_of_Google_domains

Considering the length of that list, I almost think the simple fuzzy match option might actually be better that including the whole list in your regex. The most pragmatic approach is probably to pick a few TLDs based on where your membership sits and add more based on complaints. It’s really only an issue for highly international communities anyway.

3 Likes

If you’re using a fork of the Iframe Whitelist plugin with Discourse 1.9.0, you’ll need to sync your fork with the latest version, found here: https://github.com/scossar/whitelist-iframe.

3 Likes

For anyone using the whitelist-iframe plugin, it is broken on the latest version of Discourse (1.9.0.beta8.) There is now an allowed iframes setting on the Discourse settings page. Remove the whitelist-iframe plugin and add any iframe sources you would like to whitelist to that setting.

5 Likes

anyone know the whitelist address (to put in settings) for any of these sites?

kind of a noob here

https://www.timeanddate.com


https://countingdownto.com

Hmm is this countdown scenario a use case for your Chrono plugin @joffreyjaffeux?

1 Like

countingdownto.com gives an iframe that you can use for embedding. On the latest version of Discourse you can whitelist it with the ‘allowed iframes’ site setting. You have to supply the full URL, including all the digits for each timer you wish to embed (https://w2.countingdownto.com/1944356)

Edit: all you need to enter in the setting is the domain (https://w2.countingdownto.com)

4 Likes

Hi, i installed the plugin, and rebuild done. but there is a error when posts alert 500 Internal Server Error, like this

whilteListIframe is not a function

this is my discourse version.

is this version can’t user this plugins ?

can you help me ? Thanks!

this is error log:

Message (5 copies reported)
Job exception: TypeError: (0 , _sanitizer.whiteListIframe) is not a function
Backtrace

JavaScript at <anonymous>:4:34
JavaScript at mod.state (<anonymous>:164:29)
JavaScript at tryFinally (<anonymous>:30:14)
JavaScript at require (<anonymous>:162:5)
JavaScript at <anonymous>:262:22
JavaScript at Array.forEach (<anonymous>)
JavaScript at setup (<anonymous>:260:36)
JavaScript at buildOptions (<anonymous>:108:36)
JavaScript at <anonymous>:19:17
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:176:in `eval_unsafe'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:176:in `block (2 levels) in eval'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:256:in `timeout'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:175:in `block in eval'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:68:in `block in with_lock'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:68:in `synchronize'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:68:in `with_lock'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/mini_racer-0.1.11/lib/mini_racer.rb:173:in `eval'
/var/www/discourse/lib/pretty_text.rb:190:in `block in markdown'
/var/www/discourse/lib/pretty_text.rb:391:in `block in protect'
/var/www/discourse/lib/pretty_text.rb:390:in `synchronize'
/var/www/discourse/lib/pretty_text.rb:390:in `protect'
/var/www/discourse/lib/pretty_text.rb:136:in `markdown'
/var/www/discourse/lib/pretty_text.rb:237:in `cook'
/var/www/discourse/app/models/post_analyzer.rb:24:in `cook'
/var/www/discourse/app/models/post.rb:249:in `cook'
/var/www/discourse/app/models/post.rb:484:in `rebake!'
/var/www/discourse/plugins/discourse-narrative-bot/jobs/onceoff/remap_old_bot_images.rb:30:in `block in execute_onceoff'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:63:in `block (2 levels) in find_each'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:63:in `each'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:63:in `block in find_each'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:129:in `block in find_in_batches'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:230:in `block in in_batches'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:214:in `loop'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:214:in `in_batches'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:128:in `find_in_batches'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation/batches.rb:62:in `find_each'
/var/www/discourse/plugins/discourse-narrative-bot/jobs/onceoff/remap_old_bot_images.rb:20:in `execute_onceoff'
/var/www/discourse/app/jobs/onceoff.rb:21:in `execute'
/var/www/discourse/app/jobs/base.rb:134:in `block (2 levels) in perform'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rails_multisite-1.1.1/lib/rails_multisite/connection_management.rb:73:in `with_connection'
/var/www/discourse/app/jobs/base.rb:129:in `block in perform'
/var/www/discourse/app/jobs/base.rb:125:in `each'
/var/www/discourse/app/jobs/base.rb:125:in `perform'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:188:in `execute_job'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:170:in `block (2 levels) in process'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/middleware/chain.rb:128:in `block in invoke'
/var/www/discourse/lib/sidekiq/pausable.rb:80:in `call'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/middleware/chain.rb:133:in `invoke'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:169:in `block in process'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:141:in `block (6 levels) in dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/job_retry.rb:97:in `local'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:140:in `block (5 levels) in dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq.rb:36:in `block in <module:Sidekiq>'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:136:in `block (4 levels) in dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:204:in `stats'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:131:in `block (3 levels) in dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/job_logger.rb:7:in `call'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:130:in `block (2 levels) in dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/job_retry.rb:72:in `global'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:129:in `block in dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/logging.rb:44:in `with_context'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/logging.rb:38:in `with_job_hash_context'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:128:in `dispatch'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:168:in `process'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:85:in `process_one'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/processor.rb:73:in `run'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/util.rb:16:in `watchdog'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/sidekiq-5.0.5/lib/sidekiq/util.rb:25:in `block in safe_thread'

The plugin will not work on your version of Discourse. You will need to remove it from your app.yml file and run ./launcher rebuild app.

You can now whitelist iframe URLs through the Discourse admin/security page.

4 Likes

thank you very mach. it work nice.

1 Like

This question is very important, and also it’s tooooo long……Could you please select one post as the best solution?

iframes can now be whitelisted through the allowed iframes Site Setting.

3 Likes