I just added
www.youtube.com to the Onebox blacklist.
Onebox is the feature in Discourse that embeds articles into the post if you put a link on a line by itself. Our Discourse already downloads images in the background, to prevent broken images, but mostly to prevent leaking user actions on the web. Better to host a copy here, than for each visitor to phone home, because someone shared a blog link.
YouTube loads a player into the page, in a so-called safe iframe. It requires the browser to download directly from YouTube, so blacklisted.
I don’t link to non-bloggy sites, or news sites which generally run WordPress or whatever, and they just embed as a title, except and maybe features image (which is queued to pull over). But obviously we don’t want to leak to any social media sites.
So please help me generate a list of sites to blacklist. Aside from YouTube, which other domains should we block from embedding scripts into the forums?