First load on embedded comments fail on WebKit

The first time an article with embedded Discourse comments is loaded we load the IFRAME with the following request:

GET https://forum.example.com/embed/comments?embed_url=https://site.example.com/article
referer: https://site.example.com/article

This will serve a page with

  (function() {
    setTimeout(function() {
      document.location.reload();
    }, 30000);
  })();

So Jobs::RetrieveTopic have time to download the page, create the topic and work it’s magic.

30 seconds after the IFRAME reloads, and if we have a topic it works, and if we don’t it will try again in 30 seconds, just fine.

However, on Webkit and derivatives, thanks to this bug the Javascript reload will change the referer to the current location of the IFRAME:

GET https://forum.example.com/embed/comments?embed_url=https://site.example.com/article
referer: https://forum.example.com/embed/comments?embed_url=https://site.example.com/article

This will result in an error, because forum.example.com is not allowed to embed comments.

My proposal to work around this bug is to always allow the forum own FQDN in the list of allowed referrers. Is it a good fix?

1 Like

That seems plenty safe to me…

1 Like

Fixed in

https://github.com/discourse/discourse/pull/5018

3 Likes