Embedding Discourse Comments via Javascript

I’m experiencing the same issue. It would be nice to see the embedded comments even if the site is set to private mode. Overall, I am loving Discourse, and the ability to add the comments to Ghost is a plus!


Is there a way to pass a unique div id each time the script is called? I have asynchronous content loading under my main article and would like the comments to appear on those items as well. Of course the issue with the current set up is that they all get shown in the ‘discourse-comments’ div id.

Thanks. @eviltrout


There is no way to pass a dynamic id. I’d accept a PR to do that though!


@eviltrout Err… well I know what a PR is (now), but how do you initiate a pull request?

1 Like

Sorry can you be more clear on what you mean by that? I am not a Ruby dev so that code is not going to come from me sadly. I dabbled with it once but didn’t get that far.

I would actually pay for this functionality to be added. Do you think posting in the marketplace would be the way to go for that? Thanks.


Yes the marketplace is a great place to get started if you don’t have the ability to add the feature yourself.

1 Like

Great function guys.

We like to use it soon but we have more than 30.000 blogs on our website. We don’t want all of them in the forum without comments. As the blogs are inserted as topics OnLoad i was wondering if there is a way to insert them into the forum after a button click in the embed for example so not all blogs will be inserted when visited (via Google for example)?

Our new topics overview page will be flooded by blogs i think (for our admins because they start invisible for normal formal users)

1 Like

There is no such feature. The ability to create those as unlisted was added to address this specific use case, but I can see how even it may be too little in the face of 30k blogs.

Maybe you can write a script to go and import history manually with the original post dates?


I have another question. We are using it now but we have articles with links with nofollow. On the forum the links are dofollow (nofollow is gone).

Is this something we can fix? Or is the canonical enough to don’t follow the links on the topic article?

1 Like

I wonder if the data-attribute “nosnippet” might help? Robots meta tag, data-nosnippet, and X-Robots-Tag specifications

I’m not 100% sure if Google would ignore the content marked by nosnippet, or if it just tells them not to display it in the SERP preview?


How can you transfer pictures using this method?

1 Like

I wrote some scripts to migrate our blog comments from Disqus into the Discourse forum, and in doing so I created a bunch of topics using the Discourse API instead of letting this integration create them. For the old posts, I am using the topicId embedding method, and new posts going forward are using the discourseEmbedUrl method.

However, I’m having a strange issue where some new topics are getting created anyway. (I suspect this is from a bug on my end when I briefly had some topicIds missing from some posts and those are the ones getting created as dupes.) While I don’t think there’s any solution for me right now, I would like to propose a solution for the future.

Since the embed controller tries to look up an existing post by the embed_url database column, I would like to see an API property to set that field when creating a topic. This would let my import script set this property for the topic. Then the integration wouldn’t even need to worry about switching between the topicId and discourseEmbedUrl field in the JS.


I just tracked down the source of this issue with the embed plugin. When configuring the embedding, there is an “Allowed Hosts” setting, which then sets the CSP for the iframe and the iframe will only show up at that host. For example if I configure embeds with an allowed host of example.com then try to embed the JS on attacker.com the iframe refuses to load with the error

Refused to frame 'https://forum.example.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://example.com".

However, the JS has already actually run at this point and created a topic on the forum with whatever URL was given to the embed code.

What’s happening in my case is we use Netlify to preview builds, so a copy of the blog is actually being served from netlify.app URLs, which is then loading that embed.js and creating the forum thread for the posts that I had previously incorrectly imported.

This isn’t necessarily a security issue since it can still only create topics for URLs at the configured website and that match the path allowlist. But it’s an issue in this migration strategy since I had no way to set the embed_url on the forum threads when migrating old posts into Discourse.

The fix is to add a CSP rule to prevent that embed.js from being allowed to run on domains that are not configured under the “allowed hosts” setting.

As a proof of concept, I copied the embed code to a completely unrelated domain and set the discourseEmbedUrl to one of the old posts that I imported. I loaded the page and the iframe was blocked, but the JS had already run and created the forum thread.

If you think this is more of a security issue than a bug, I’m happy to delete this post and report it through hackerone instead.


I believe this is possible now. The embed_url property can be set when you first create the topic. Our WordPress plugin does that here: wp-discourse/discourse-publish.php at main · discourse/wp-discourse · GitHub. The embed_url property cannot be updated via the API after the topic has been created.


That’s fantastic! Looks like the API docs need to be updated then!

What would it take to get the property added to the update API method? That would let me solve this properly.


Hi, i’ve been struggling to get the posts on my blog to associate with forum posts using this method. It seems I’m having similar issues to some other users here with the iframe content-security-policy. My blog is generated by Jekyll and is hosted by github and my discourse is hosted by Digital Ocean. Their addresses are blendertube . com and forum.blendertube . com respectively.

Here is the error reported in my browser:

Refused to frame ‘forum.blendertube.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’ blendertube.com”.

Does this have anything to do with ssl for my discourse instance?

Here are some screenshots:

Hope ya’ll can help. Thanks!

1 Like

Here is another screenshot:

1 Like

Does anyone have an idea what the syntax would be to replace the “current_page.url” with the URL of a WordPress WooCommerce product page? We’d like to do this so we don’t have to customize the code for each page, and can easily apply it to all pages.

I tried replacing our own domain value for discourseEmbedUrl : 'http://eviltrout.com<%= current_page.url %>' but this did not work on WP.

1 Like

I think what we might need here is the new noindex, indexifembedded tag

Edit @codinghorror thought this was a good idea when it came up for a similar use case (The topic embed )


I can’t figure out if/how the following is possible:

When the discourse instance’s default theme is Dark, how can the embedded one be Light?

If my browsers are not messed up, it looks like @codinghorror’s implementation is just that way. How is this done in an elegant way? :smiley: