Stop Forum from iframing/including whole pages


#1

is it really needed to show a page just because their URL was typed?especially since such an included/iframed page can easily be used for tracking purposes and it becomes especially annyoing when you just type your domain to show which domain you used for LE or whatever na dthen you cnanot see the domain.

I wish to request that unless specified a URL should always be either non-clickable or just a link maybe depending on the rank of the user, but never be iframed, beucase it’s easy that a potential malware domain gets iframed and even if just because of a typing mistake (domainsquatting by some other entity)


#2

I think only special sites are oneboxed, like Google Docs. But I don’t like iFrames here either, I think they should be disabled. All other oneboxing is fine, but no iFrames please.


#3

what is a onebox? and where’s the difference to an iframe?


#4

Oneboxing is a general term for these things. If you post a link to GitHub or another thread here on a separate line, it’s not iframing it but instead just shows a snippet, so basically inlining external content.

https://meta.discourse.org/t/what-is-a-onebox/4546


#5

well that’s actually not bad, but there should be a way to set stuff about that on a per-user basis, especially when sites get iframes as was especially seen with the LE beta form, because an iframe can track users and tracking is evil.


#6

If you think IFRAMES are evil on all websites, just download noscript to block them (“Embedding” tab and check “Forbid IFRAME”, “Apply these restrictions to whitelisted sites too”).


#7

they are not evil everywhere but in a forum you arent really expecting it and those things REALLY take a lot of space.


#8

That’s true, in the meanwhile I’ll just use NoScript.


#9

well slightly annoying because most probably the links will vanish that way


#10

Nah it’s okay, when I hover it, I get the link.

And I can still go to “Blocked objects” and allow it

Well anyway, it’s Let’s Encrypt forums, not noscript topics, I’ll stop there ^^


#11

AFAIK Discourse does not use iframes (as also indicated by this thread which only shows an experimental implementation of this).
Like it was already said Discourse uses Oneboxes, where you cannot be tracked.
The only thing I saw on Discourse forums embedded, which may track you, are video embeddings like embedded YouTube videos. There is still no IFrame used but YouTube may track your site visit if you visit such a site - but hey, embedded YouTube videos are everywhere on the web…


#12


so what’s that huge annyance?
edit: checked the code

<iframe class="gdocs-onebox forms-onebox" width="695" height="457" 
frameborder="0" scrolling="yes" marginwidth="0" marginheight="0" 
src="https://docs.google.com/forms/d/15Ucm4A20y2rf9gySCTXD6yoLG6Tba7AwYgglV7CKHmM/viewform?embedded=true">

so how’s that NOT an iframe?


#13

Regardless of whether oneboxing is used, I oppose ANY use of iframes. They should not be in the HTML standard. But I also oppose oneboxing in general unless the poster gives permission first.

About “noscript”, which I assume is a browser add-on, just because a workaround is available is not an excuse to do something the wrong way.

Just my opinions.


#14

well the onebox is an intresting idea and not an iframe at all. it’s more like the foru parses part of the page and includes it server-side, as far as i can get it correctly, but still there should be a setting for the poster to shut off the onebox and/or the iframe, while latter shouldnt even be in this forum by default…

also iframe isnt a bad concept in general it’s similar to goto eval or exec in PHP, which are hated for legit reasons but they also have legit uses (exec for example can use inkscape to convert and SVG to PNG, imagick is junk, I already tested that one, eval can be useful for dynamically building if-clauses, and goto is an easy way to jump out of your condition and a lot easier to handle than a Multi-level break.


#15

There is an option, just prefix links with a space if they’re on a separate line to turn it off.


#16

that’s a workaround but not an option because it is neither obvious nor clearly visible.


#17

Was the first thing I tried to prevent it THB. Maybe it should be somewhere in a formatting help.


#18

Oh yes. In fact that’s an iframe. Did not know that Discourse allows this.

But it seems they have some whitelisting feature, because I could not get any other domains iframed here.