Embedded comments in HTML page - SAMEORIGIN and 403 issues

(Mari Gutierrez) #1

First of all, my apologies for bringing this topic back to the forum. I’ve read almost all the existing topics related to embedded comments not working but I don’t seem to find anything that helps in my case. I’m sure I’m missing probably a small detail, but since I’m not able to find it maybe some more eye pairs help here.

I’ve created a small blog in writings.mydomain.com. I have set up a Digital Ocean instance with Discourse in comments.mydomain.com. Both writings and comments require secure connections (https).

In Settings > Customize > Embedding I have added writings.mydomain.com as an allowed host, whitelist path “/.*”, no category.

In every post of my blog I’ve inserted the snippet as explained in the Embedding section, replacing dynamically the discourseEmbedUrl by the URL of the post.

I go to my blog, click on a post and see the discourse comments iframe trying to load the discussion. After a while, the loading fails, and the client throws the following errors:

Refused to display 'https://comments.mydomain.com/embed/comments?embed_url=https%3A%2F%2Fwritings.mydomain.com%2Fmonthly-roadmap-meeting-12-09-2016.html' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
GET https://comments.mydomain.com/embed/comments?embed_url=https%3A%2F%2Fwritings.mydomain.com%2Fmonthly-roadmap-meeting-12-09-2016.html 403 ()

I tried enabling CORS in my discourse instance (env variables DISCOURSE_ENABLE_CORS: true and DISCOURSE_CORS_ORIGIN: '*') and rebuilding it with no success. My version of discourse is v1.7.0.beta5 +15

Anything obviously wrong you can see in my approach?

Thanks in advance.

(Robin Ward) #2

Everything definitely looks good to me. You shouldn’t need the path whitelist feature, so one thing I’d try is turning that off.

Additionally, are there any errors in the logs on your discourse server at /logs?

(Mari Gutierrez) #3

Hi Robin, thanks for your response. I tried removing the path whitelist with no luck.
Regarding logs (doh), checking the rails ones I got something interesting, and I think I may understand what’s the problem:

Started GET "/embed/comments?embed_url=https%3A%2F%2Fwritings.mydomain.com%2Fdesigners-github.html" for XX.XX.XX.XX at 2016-09-26 20:35:13 +0000
Processing by EmbedController#comments as HTML
  Parameters: {"embed_url"=>"https://writings.mydomain.com/designers-github.html"}
  Rendered embed/loading.html.erb within layouts/embed (1.3ms)
Completed 200 OK in 35ms (Views: 6.5ms | ActiveRecord: 7.7ms)
Started GET "/embed/comments?embed_url=https%3A%2F%2Fwritings.mydomain.com%2Fdesigners-github.html" for XX.XX.XX.XX at 2016-09-26 20:35:43 +0000
Processing by EmbedController#comments as HTML
  Parameters: {"embed_url"=>"https://writings.mydomain.com/designers-github.html"}
  Rendered exceptions/not_found.html.erb within layouts/application (36.3ms)
  Rendered layouts/_head.html.erb (2.0ms)
  Rendered common/_special_font_face.html.erb (1.2ms)
  Rendered common/_discourse_stylesheet.html.erb (1.2ms)
  Rendered application/_header.html.erb (0.8ms)
  Rendered common/_discourse_javascript.html.erb (1.5ms)
  Rendered text template (0.1ms)
Completed 403 Forbidden in 229ms (Views: 1.5ms | ActiveRecord: 112.1ms)

The blog is at the moment behind basic auth, so I guess the 403 may come from there. Could that be the issue? If so, any way to circumvent it? Would adding the basic auth credentials in the embedded URL fix it?
This would not yet explain the SAMEORIGIN issue though, but one step at a time!

(Jeff Atwood) #4

There is no way to embed comments if you are involving auth, sorry.

(Mari Gutierrez) #5

Thanks for your answer Jeff, all clear now. I’ll get rid of the basic auth then :slight_smile:

Thanks again for your help!

(Mudedla Panduranga Rao ) #6

How can we avoid auth for embedding comments?