CORS Error when embedding comments in Gitlab-hosted Jekyll static site

New Discourse user here just trying to get a basic site skeleton up. So far, almost everything has been smooth except for getting the comment-embedding/post-generating functionality to work.

I have my Discourse instance running on a Digital Ocean droplet, as per the setup instructions.

My discourse url is:
My static site is located at:

I have added: DISCOURSE_ENABLE_CORS: true to the app.yml file and re-launched.

I have set Settings > Security > cors origins to:

The console on my static site where I embed the comments shows this:

Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘’) does not match the recipient window’s origin (‘’)

There are a number of similar posts that I found in the forums that have helped me get this far, but none of the solutions suggested in any of them have worked for me. I feel like I may be missing something obvious here, because it seems like it should work.


Looks like you need to add both domain and sub domain in your cors settings then?

@codinghorror Seems like that should have solved it, but the error is the same even with added to cors origins.

Turns out it was a ridiculously simple mistake - apparently there is a “Save Embedding Settings” button at the very far bottom left of the screen on the settings. Even though it looks like clicking the blue check mark next to the host does the “save”, you still need to find that save button and click it.

Additionally, once I did find it I was alerted to the fact that I needed to enter a username.

Honestly, that save button is really unintuitive - it is difficult to find, there is no penalty for not hitting it, the page seems to save my settings regardless (but not apply them I guess?) and none of the guides on this mention that I need to find it and hit it.