Embedding comments via JS not working


(Fogo) #1

Hi,

I run Discourse beside a custom web app where I want to embed it. Both are behind an nginx server and their URLs are https://mysite.com and https://forum.mysite.com.

I tested with 3 browser configs:

OSX, Firefox 54, strict config

Referer:https://forum.mysite.com/embed/comments?embed_url=https%3A%2F%2Fmysite.com%2Ffoo%2Fbar%2F

The referer did not match any of the following hosts:

    mysite.com

Browser console

Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://forum.mysite.com’) does not match the recipient window’s origin (‘https://mysite.com’).

OSX, Firefox 54, everything enabled

blank space

Browser console

Load denied by X-Frame-Options: https://forum.mysite.com/login does not permit cross-origin framing.

WinXP, Firefox 52, everything enabled

The embedded comments are working fine.


(Jay Pfaffman) #2

Is there a reason not to share your actual url?

Both sites work, but just embedding does not work?

What steps did you take to configure embedding?


(Fogo) #3

Thanks for the quick reply.

Yes, both site work.

Steps I did for configuring embedding

Embedded code:

<script type="text/javascript">
  DiscourseEmbed = { discourseUrl: 'https://forum.mysite.com/',
                     discourseEmbedUrl: 'https://mysite.com/foo/bar/' };

  (function() {
    var d = document.createElement('script'); d.type = 'text/javascript'; d.async = true;
    d.src = DiscourseEmbed.discourseUrl + 'javascripts/embed.js';
    (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(d);
  })();
</script>
  • DISCOURSE_ENABLE_CORS env var set to true

  • Security > Force HTTPS settings enabled

  • Security > CORS Origins set to https://mysite.com/

  • used nginx config from this howto and added to location / part:

      add_header "Access-Control-Allow-Origin"  *;
      add_header X-Frame-Options ALLOW-FROM https://mysite.com;

(Joe Buhlig) #4

Can you share the actual URLs? That makes it easier to see the real error message and play with it.

Unless I’m forgetting something none of this applies to embedding. And it may actually be causing your issue.