It worked at some point, but now the comments are not displayed. In the firefox console, I see:
Load denied by X-Frame-Options: https://... does not permit framing.
And in the network section, for this resource, I see that:
X-Frame-Options: "ALLOWALL, DENY"
I have no idea what’s going on, but I think it may be related to SSL.
Both the blog and the discourse instance are behind a reverse proxy which does the actual SSL.
That is… extremely weird. I don’t think there’s any point in an ALLOWALL, DENY record as “ALLOWALL” doesn’t actually mean anything to the browser, just analysis tools (checking if the X-FO is missing, i.e. you didn’t think about it).
I’m guessing the proxy is adding , DENY to the end?
Just to make sure, I added add_header X-Frame-Options "ALLOWALL"; to the nginx configuration. The comments are displayed properly in this case. So the question is what is adding DENY at the end, and why?
So… it seems it was nginx adding the DENY at the end. Not sure why exactly, but I think it may have to do with proxy_set_header X-Forwarded-Proto $scheme;. When I added add_header X-Frame-Options "ALLOWALL", I ended up with two ALLOWALL so I set it to add_header X-Frame-Options "" and now I only have one (like I should).
Well, it was me all along. When I added ssl, I also added a few lines for security, one of which was the X-Frame-Options DENY. Mistery solved on that front.
In case someone stumbles upon this thread and wants X-Frame-Options DENY as defaults but still wants to embed comments, here is the solution direct from #nginx (apparently ifs should be avoided where possible: