CORS question embedding Blogspot

Having see our newly embedded (same-domain) Ghost blog one of our members asked if it was possible to do the same with his at Blogspot. I’ve tried but can only get this far:

Allowed hosts are:

The embedded script is:

<script type="text/javascript">
DiscourseEmbed = { discourseUrl: '',
			     discourseEmbedUrl: '{{url absolute="true"}}' };
(with and without discourseReferrerPolicy: 'strict-origin-when-cross-origin'};)

(function() {
var d = document.createElement('script'); d.type = 'text/javascript'; d.async = true;
d.src = DiscourseEmbed.discourseUrl + 'javascripts/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(d);

CORS is enabled through App.yml:


I also tried it with


followed by app destroy/ start each time.

The allowed origin is:

These settings are both checked:

Enable Content-Security-Policy
Restrict who can embed this site in iframes via CSP.

Jscript console says

Any help would be greatly appreciated.

This is wrong, as the {{url absolute="true"}} is not replaced before the code is executed.

Also, you may want to limit the code loading the Discourse comments to only article pages and not the homepage.

1 Like