Embedded comments not displayed due to X-Frame-Options DENY

Hello,

I setup comments on my blog using this guide: Embedding Discourse Comments via Javascript

It worked at some point, but now the comments are not displayed. In the firefox console, I see:

Load denied by X-Frame-Options: https://... does not permit framing.

And in the network section, for this resource, I see that:

X-Frame-Options: "ALLOWALL, DENY"

I have no idea what’s going on, but I think it may be related to SSL.
Both the blog and the discourse instance are behind a reverse proxy which does the actual SSL.

The blog is here: https://avril4th.com
and the discourse instance: https://discourse.avril4th.com

I’m not sure what other information could be relevant.

Cheers,

Is “force https” set in your Discourse settings?

1 Like

That is… extremely weird. I don’t think there’s any point in an ALLOWALL, DENY record as “ALLOWALL” doesn’t actually mean anything to the browser, just analysis tools (checking if the X-FO is missing, i.e. you didn’t think about it).

I’m guessing the proxy is adding , DENY to the end?

1 Like

No. Since discourse talks http with the reverse proxy and the reverse proxy does the ssl, I wasn’t sure this wouldn’t break my setup.

I don’t think so. I’m using nginx, and I added X-Forwarded-For, X-Real-IP and X-Forwarded-Proto, but that’s only on the way to discourse I think.

I’m running such a setup with that option checked, so it should be working fine :slight_smile:

Alright. Tried it. Discourse still works, but it didn’t change anything to the embedding.

Just to make sure, I added add_header X-Frame-Options "ALLOWALL"; to the nginx configuration. The comments are displayed properly in this case. So the question is what is adding DENY at the end, and why?

So… it seems it was nginx adding the DENY at the end. Not sure why exactly, but I think it may have to do with proxy_set_header X-Forwarded-Proto $scheme;. When I added add_header X-Frame-Options "ALLOWALL", I ended up with two ALLOWALL so I set it to add_header X-Frame-Options "" and now I only have one (like I should).

For anyone else having the same problem, this is what I added inside the location for discourse:

if ($args ~ "embed_url=https%3A%2F%2Favril4th.com%2F") {
    add_header X-Frame-Options "";
}

Not an nginx expert, so maybe there are better ways to do it.
EDIT: talked to experts in #nginx. See solution below

2 Likes

Well, it was me all along. When I added ssl, I also added a few lines for security, one of which was the X-Frame-Options DENY. Mistery solved on that front.

3 Likes

In case someone stumbles upon this thread and wants X-Frame-Options DENY as defaults but still wants to embed comments, here is the solution direct from #nginx (apparently ifs should be avoided where possible:

outside of the server clause:

map $arg_embed_url $xfo {
        default DENY;
        ~^https%3A%2F%2Favril4th.com%2F.* "ALLOW-FROM https://avril4th.com/";
}

and then inside the location where you want to allow embeding:

add_header X-Frame-Options $xfo;

This topic was automatically closed after 2884 days. New replies are no longer allowed.