Dear devs,
Within ATLAS Open Data we would like to link users directly to this forum to submit their questions.
To do so, we’d like to embed https://opendata-forum.cern.ch/ within our website: https://opendata.atlas.cern/
If we try to setup the most basic configuration, like:
<iframe src="https://opendata-forum.cern.ch/new-topic?title=topic%20title&category=atlas" style={{ width: '100%', height: '500px', border: 'none' }}></iframe>
We see the following message in the rendered frame:
I have then a couple of questions:
- Is there another way to embed a topic creation in our website?
- If not, is it possible to add an exception for our website, so that we can properly embed the forum?
Thanks a lot for your help,
Best,
Giovanni
Summoning @jbenito and @tiborsimko.
Thanks a lot for the help!
Hi @gguerrie
As we spoke IRL, embedding a web site inside another web site is generally not recommended due to several reasons, both technical and practical: it may cause slower load times, worsen user experience due to inconsistent designs, increase mobile browser compatibility issues, and more importantly expose users to security risks related to content embedding. It is hard for the source web site to have any control over the targeted embedded content.
Would it be possible for the ATLAS open data web site to simply link directly to the forum instead of embedding it?
Hi @tiborsimko,
We’ll then proceed to keep the current configuration, in which the forum is linked in our website.
Thanks a lot for the clarifications!
Just one bonus question: is it possible to build a little submission form for questions that would go to the OD Forum? For example, if you have email injection enabled, you could I think allow it with a few switches?
Best,
Zach
Hi Zach, would the people be already logged in via CERN Single Sign-On using their GitHub etc social accounts at the time you would like to inject their forum post from an external submission form? Or would the form be sort of “anonymous” and people would provide their email address and we’d rely on it and inject it “as is”? (The latter could lead to various impersonation troubles, somebody could start spoofing people en mass, etc.)
There are also some security issues we’d have to carefully consider. The Discourse API allows to inject users, but this requires a sort of admin-level like access that the external web site hosting the form would need to have. What if that external web site gets compromised? A theoretical attacker could start injecting users at will.
Moreover, I have not checked the Discourse API granularity, but it is possible that creating new users would be bound with similar actions, such as modifying existing users, and perhaps even more admin-level operations. If the granularity is not very fine-tuned but rather broad, then the theoretical attacker could do even more harm.
I can check the granularity the Discourse API to be able to better judge the threats, but my gut feeling is that it would be both simpler and safer to just invite new users to come to the forum to create their accounts by themselves and ask the question directly.
Hi @tiborsimko ,
Ok, point taken. I’m less worried about some of these items, and we have used this functionality on the ATLAS forums, but I understand the concerns.
Best,
Zach
