Iframes

Thanks for reaching out.

I spoke with one of our QA engineers and he said this:
(adding your questions for easier context)

(1) My login and IP address also appear on the allow list. Is only that one user and IP being allowed?
The login and IP are just for record-keeping but the exception applies to all users with that particular parameter on that particular endpoint.

(2) What else, other than iframes, might be disallowed in a post?
That’s running into the Firewall’s XSS rule, so any script tags or untrusted attributes (e.g. onclick, onfocus, etc.) would get blocked as well. We generally make an exception for the XSS rule in the WordPress post editor since it has sufficient built-in XSS protection (apart from individual plugins that add functionality to the post editor which we see a few times a year and make new rules for) but it sounds like bbPress doesn’t use the same URL structure when editing posts.

(3) Is there a way to “allow” this type of thing (like and iframe from a specific source) generically, if I should need to do that, rather than URL by URL.
We’d want to see what these allowlistings look like to be sure, but it is probably not for the time being without you disabling the rule (Click “Show All Rules” in the Rules subsection of the Advanced Firewall Options section on the Firewall > All Firewall Options page on you site)

(4) I’ve looked at:

Is there any other documentation that gives more details than those pages?
We hope to add more fine-grained control to the allowlist functionality in a future release and that includes more thorough documentation about this and other features.

Hope this helps. Please let me know if you have other questions.

Tim

Yes, that is actually very helpful. I have a better idea what’s going on now. Thanks so much.

-Mike