Embedding is BROKEN in 3.0.4 (stable)

I have the suspicion that this change

broke how I use embedding on my website. Can someone point me to what exactly was changed?

I use Discourse to create topics for posts on my blog (as a commenting system). My website is divided into two parts for two languages, so I use two hosts to filter the English (/blog/somepost) and German (/de/blog/somepost) posts into different forum categories.

screenshot-forum.fab.industries-2023.06.16-02_30_471101×153 11.5 KB

Posts from the German side of the website aren’t embedding anymore since my Discourse got updated. I presume it has something to do with the above patch.

Any help in trying to solve this would be much appreciated.

On the other hand, it might be whatever this issue is:

I certainly have those DOMExceptions show up. Again, any help would be greatly appreciated!

yea i would be looking at the the security policies and settings for your forum and the embed website. the screenshot looks ok. what is the script you are using and what about your other embed settings? have you made any recent changes there?

my forum uses this embedding posting feature multiple times a day and it’s working great at the moment so i know it’s not broken. we are using the latest beta and we are hosted, so i am confident in the configuration.

Hey, thanks for trying to help!

I am not in control of any security policies since both sites are hosted by hosting providers. Somehow I doubt they broke this. But I will investigate with my Discourse hoster.

I use this script on the blog (it’s a static site engine called Hugo):

<script type="text/javascript">
  DiscourseEmbed = { discourseUrl: 'https://forum.fab.industries/',
                     discourseEmbedUrl: '{{ .Permalink }}' };

  (function() {
    var d = document.createElement('script'); d.type = 'text/javascript'; d.async = true;
    d.src = DiscourseEmbed.discourseUrl + 'javascripts/embed.js';
    (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(d);
  })();
</script>

I didn’t change any of that since I first integrated it a few months ago.

All I did change was some minor custom CSS I added on the forum theme. I will roll that back today and see if it fixes the issue.

Okay. Rolling back the CSS did nothing. It was a longshot anyway.

I was now also able to confirm that embedding is broken in general. The English side of the blog also stopped working. New pages are stuck at “Loading discussion…”

I am now pretty sure this broke when my provider updated my forum to 3.0.4 but I do not know what version they updated me from. So I still suspect this patch somehow:

I am thinking the fact that the browser is tossing these DOM-related errors is no accident:

dom-error1422×419 22.5 KB

Turning off CSP in the admin settings doesn’t seem to fix it.

So main has this

TopicEmbed.import_remote(@embed_url, user: User.find_by(username_lower: username.downcase))

and stable has this

TopicEmbed.import_remote(user, @embed_url)

Note the order of the parameters.

Now the backport of the security patch changed the function signature on stable to the new parameter order,so

def self.import_remote(import_user, url, opts = nil)

became

def self.import_remote(url, opts = nil)

and now the url parameter receives a User object.

Changing the function call resolves the issue

diff --git a/lib/topic_retriever.rb b/lib/topic_retriever.rb
index b798df6cd7..6186ce5868 100644
--- a/lib/topic_retriever.rb
+++ b/lib/topic_retriever.rb
@@ -50,6 +50,6 @@ class TopicRetriever
     user = User.where(username_lower: username.downcase).first
     return if user.blank?
 
-    TopicEmbed.import_remote(user, @embed_url)
+    TopicEmbed.import_remote(@embed_url, user: user)
   end
 end

@blake

I have submitted a PR that fixes this issue FIX broken topic embedding because of incomplete security patch (#22088) by communiteq · Pull Request #22184 · discourse/discourse · GitHub

Thanks @RGJ for the fix, that PR is now merged.