FEATURE: Additional control of iframes in oneboxes (#10523)

This commit adds a new site setting "allowed_onebox_iframes". By default, all onebox iframes are allowed. When the list of domains is restricted, Onebox will automatically skip engines which require those domains, and use a fallback engine.
2025-02-25 18:55:32 -06:00 · 2020-08-27 20:12:13 +01:00
parent c172f2068d
commit a3577435f7
7 changed files with 84 additions and 48 deletions
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -1482,6 +1482,11 @@ security:
  allowed_internal_hosts:
    default: ""
    type: list
+  allowed_onebox_iframes:
+    default: "*"
+    type: list
+    allow_any: false
+    choices: "['*'] + Onebox::Engine.all_iframe_origins"
  allowed_iframes:
    default: "https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/"
    type: list