Also something, which is curious: embedding works with Firefox on OS X, but not with Firefox on Windows 10.
Meanwhile, I have tried e.g. using the plugin at GitHub - TheBunyip/discourse-allow-same-origin (based on the discussion at Discourse Meta), but this does nothing. Even the headers were not changed.
After that I just used the brute method, namely replacing all the SAMEORIGIN entries with ALLOWALL in the Docker container with
grep -rlI "SAMEORIGIN" /var/lib/docker/aufs/mnt/b61e6ae66cd105227ba032b83eeeb7fe28fef447d0a550d62bd2907fc8808bb3/ | xargs sed -i "s/'X-Frame-Options' => 'SAMEORIGIN'/'X-Frame-Options' => 'ALLOWALL'/g"
With Chrome, Safari and IE the embedding works.
In the Discourse Nginx access log the successful request from Chrome looks like this:
[07/May/2016:13:43:44 +0000] 220.127.116.11 "GET /embed/comments?embed_url=https%3A%2F%2Fwww.blaubeerbasilikum.de%2Ftortillas-mit-guacamole-und-hackfleischsosse%2F HTTP/2.0" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36" "embed/comments" 200 1730 "https://www.blaubeerbasilikum.de/" 0.036 0.036 "blogadmin"
And the request from Firefox (403 error):
[07/May/2016:13:44:15 +0000] 18.104.22.168 "GET /embed/comments?embed_url=https%3A%2F%2Fwww.blaubeerbasilikum.de%2Ftortillas-mit-guacamole-und-hackfleischsosse%2F HTTP/2.0" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0" "embed/comments" 403 5179 "-" 0.040 0.040 "-"