FEATURE: Additional control of iframes in oneboxes (#10523)

This commit adds a new site setting "allowed_onebox_iframes". By default, all onebox iframes are allowed. When the list of domains is restricted, Onebox will automatically skip engines which require those domains, and use a fallback engine.
2025-02-25 18:55:32 -06:00 · 2020-08-27 20:12:13 +01:00
parent c172f2068d
commit a3577435f7
7 changed files with 84 additions and 48 deletions
--- a/lib/onebox/engine/allowlisted_generic_onebox.rb
+++ b/lib/onebox/engine/allowlisted_generic_onebox.rb
@@ -16,24 +16,6 @@ module Onebox
        Float::INFINITY
      end

-      private
-
-      # overwrite to allowlist iframes
-      def is_embedded?
-        return false unless data[:html] && data[:height]
-        return true if AllowlistedGenericOnebox.html_providers.include?(data[:provider_name])
-
-        if data[:html]["iframe"]
-          fragment = Nokogiri::HTML5::fragment(data[:html])
-          if iframe = fragment.at_css("iframe")
-            src = iframe["src"]
-            return src.present? && SiteSetting.allowed_iframes.split("|").any? { |url| src.start_with?(url) }
-          end
-        end
-
-        false
-      end
-
    end
  end
 end
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -138,7 +138,9 @@ module Oneboxer
  end

  def self.engine(url)
-    Onebox::Matcher.new(url).oneboxed
+    Onebox::Matcher.new(url, {
+      allowed_iframe_regexes: Onebox::Engine.origins_to_regexes(allowed_iframe_origins)
+    }).oneboxed
  end

  def self.recently_failed?(url)
@@ -300,6 +302,14 @@ module Oneboxer
    @preserve_fragment_url_hosts ||= ['http://github.com']
  end

+  def self.allowed_iframe_origins
+    allowed = SiteSetting.allowed_onebox_iframes.split("|")
+    if allowed.include?("*")
+      allowed = Onebox::Engine.all_iframe_origins
+    end
+    allowed += SiteSetting.allowed_iframes.split("|")
+  end
+
  def self.external_onebox(url)
    Discourse.cache.fetch(onebox_cache_key(url), expires_in: 1.day) do
      fd = FinalDestination.new(url,
@@ -314,6 +324,7 @@ module Oneboxer
      options = {
        max_width: 695,
        sanitize_config: Onebox::DiscourseOneboxSanitizeConfig::Config::DISCOURSE_ONEBOX,
+        allowed_iframe_origins: allowed_iframe_origins,
        hostname: GlobalSetting.hostname,
      }