The source code is unavailable in custom blocks
I’m using Immersion on 3.5OJS on a test site. I want to try adding multimedia to the side bar and tried to use custom blocks for this. I can inspect the source code but cannot edit or select it, either this is a UI bug in this version of OJS or a configuration restriction. Are you able to help?
Steps I took leading up to the issue
For example:
Add a custom block in the plugin
Click on <>
Tried to insert the cursor into the source code field to paste a test Vimeo iframe.
Nothing happens. No ability to work with the source code.
What application are you using?
For example, OJS 3.5
I think you may be running into this issue. Which, several others have reported and we have identified a fix for it. I suspect if you try to use these controls elsewhere in OJS they will also not work due to this error. There is a patch to apply to fix the issue, but you might also wait until the release of OJS 3.5.0-0-3, where upgrading will fix this issue.
If the problem persists even after updating OJS, you might be running into another issue I recently encountered.
I had a similar problem while trying to embed a google form iFrame in the sidebar. The iframe was always broken / blank and never loaded.
The issue wasn’t the HTML itself — it was the browser blocking the embed because it violated the site’s Content-Security-Policy (CSP).
Since OJS sends CSP as an HTTP response header, it controls what your site is allowed to load inside iframes. If the embed domain isn’t explicitly allowed, the browser will refuse to render it (you’ll usually see console errors like: “Refused to frame … because it violates Content Security Policy (frame-src …)”).
Fix: update your CSP allowlist — especially the frame-src directive — to include Vimeo’s embed domains. In practice, that usually means allowing:
• https://player.vimeo.com (the actual iframe embed host)
• and sometimes https://vimeo.com (depending on the embed flow / redirects)
If your CSP is very strict, you may also need to allow Vimeo-related assets in other directives (e.g., script-src, img-src, media-src), but the most common breaking point for an iframe is frame-src.
After adding the relevant domains to frame-src (and, if needed, expanding the other directives), the Vimeo iframe should load normally.
(Note: this is different from X-Frame-Options / frame-ancestors restrictions set by the third-party site itself. In my case, the blocker was the OJS CSP header.)
Thank you Pedro! I will keep that in mind - at the moment I’m using placeholder content from Vimeo . I could add the iframe to the source code after the upgrade and it’s displaying okay. I’m not sure what content the client will want to use and where it will be hosted - so good to know there might be that issue with CSP. Thanks again!