Embedded comments not displayed due to X-Frame-Options DENY

(guiniol) #1


I setup comments on my blog using this guide: Embedding Discourse Comments via Javascript

It worked at some point, but now the comments are not displayed. In the firefox console, I see:

Load denied by X-Frame-Options: https://... does not permit framing.

And in the network section, for this resource, I see that:

X-Frame-Options: "ALLOWALL, DENY"

I have no idea what’s going on, but I think it may be related to SSL.
Both the blog and the discourse instance are behind a reverse proxy which does the actual SSL.

The blog is here: https://avril4th.com
and the discourse instance: https://discourse.avril4th.com

I’m not sure what other information could be relevant.


(Jeff Atwood) #2

Is “force https” set in your Discourse settings?

(Kane York) #3

That is… extremely weird. I don’t think there’s any point in an ALLOWALL, DENY record as “ALLOWALL” doesn’t actually mean anything to the browser, just analysis tools (checking if the X-FO is missing, i.e. you didn’t think about it).

I’m guessing the proxy is adding , DENY to the end?

(guiniol) #4

No. Since discourse talks http with the reverse proxy and the reverse proxy does the ssl, I wasn’t sure this wouldn’t break my setup.

(guiniol) #5

I don’t think so. I’m using nginx, and I added X-Forwarded-For, X-Real-IP and X-Forwarded-Proto, but that’s only on the way to discourse I think.

(Felix Freiberger) #6

I’m running such a setup with that option checked, so it should be working fine :slight_smile:

(guiniol) #7

Alright. Tried it. Discourse still works, but it didn’t change anything to the embedding.

(guiniol) #8

Just to make sure, I added add_header X-Frame-Options "ALLOWALL"; to the nginx configuration. The comments are displayed properly in this case. So the question is what is adding DENY at the end, and why?

(guiniol) #9

So… it seems it was nginx adding the DENY at the end. Not sure why exactly, but I think it may have to do with proxy_set_header X-Forwarded-Proto $scheme;. When I added add_header X-Frame-Options "ALLOWALL", I ended up with two ALLOWALL so I set it to add_header X-Frame-Options "" and now I only have one (like I should).

(guiniol) #10

For anyone else having the same problem, this is what I added inside the location for discourse:

if ($args ~ "embed_url=https%3A%2F%2Favril4th.com%2F") {
    add_header X-Frame-Options "";

Not an nginx expert, so maybe there are better ways to do it.
EDIT: talked to experts in #nginx. See solution below

(guiniol) #11

Well, it was me all along. When I added ssl, I also added a few lines for security, one of which was the X-Frame-Options DENY. Mistery solved on that front.

(guiniol) #12

In case someone stumbles upon this thread and wants X-Frame-Options DENY as defaults but still wants to embed comments, here is the solution direct from #nginx (apparently ifs should be avoided where possible:

outside of the server clause:

map $arg_embed_url $xfo {
        default DENY;
        ~^https%3A%2F%2Favril4th.com%2F.* "ALLOW-FROM https://avril4th.com/";

and then inside the location where you want to allow embeding:

add_header X-Frame-Options $xfo;