Embedding Content on a site with 'X-Frame-Options' to 'SAMEORIGIN'


I’ve been following the instructions from the admin/customize/embedding menu to setup embedding comments on a website.

However my site is a Jekyll template hosted on GitHub Pages. There’s a thread here with the same subject however the solution does not work around the main problem that I’m seeing:

Refused to display 'http://XXX/embed/comments?embed_url=http%3A%2F%2FXXX%2FYYY%2F' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

After searching I found that GitHub’s policy is to block X-Frame-Options in this Stack Overflow thread They appear to have relaxed the restriction from deny to SAMEORIGIN in the intervening time, but the security implications make sense why they have the policy.

Since embedding the remote content is blocked my workaround was to copy the embed.js from my discourse instance onto the static site as a local resource. And then modify the embed script as below:

<div id='discourse-comments'></div>

<script type="text/javascript">
  DiscourseEmbed = { discourseUrl: 'http://discourse.example.com/',
                     discourseEmbedUrl: 'http://example.com/blog/entry-123.html' };

  (function() {
    var d = document.createElement('script'); d.type = 'text/javascript'; d.async = true;
    d.src = localSiteUrl + 'javascripts/embed.js';
    (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(d);

Replacing d.src = DiscourseEmbed.discourseUrl + 'javascripts/embed.js';

with d.src = localSiteUrl/js/discourse-embed.js';

This means that the iframe embedding comes from the same origin but is fragile as the embed code can no longer be auto updated when my discourse site is updated.

Two questions:

  • Does anyone have a better suggested work around? Might there be a more minimal embeded javascript that I could use that would bring in a version from discourse that does not generate the iframe remotely?
  • And secondly how fragile is this copying process, aka how often might it be expected that I need to update the embed.js going forward?