Help with Embed: Unable to post message to [discourse]. Receipient has origin [mydomain]

I have a new Discourse set up and am trying to embed comments on a page on another site.

When I run this in Safari I get this error in the JavaScript console:

Unrecognized Content-Security-Policy directive 'worker-src'.

The embed page shows “Loading discussion…” for about 30 seconds.

Then I see this in the console:

Unrecognized Content-Security-Policy directive 'worker-src'.
Unrecognized Content-Security-Policy directive 'worker-src'.
Unable to post message to https://forum.nsscreencast.com. Recipient has origin https://nsscreencast.com.

I presume this is to have the iframe self-size after content is loaded. When I run this in a Chromium-based browser I don’t get this error.

Is there something I need to configure to get this postMessage flow working in Safari?

1 Like

This is something we are going to fix soon. We rely on the referer for embed requests to check if they are allowed, but recent changes to browsers broke a lot of our assumptions in this area.

3 Likes

:+1: Thanks for the quick reply. Anything I can do in the meantime to get around this? i.e. implementing some custom JS on the embedding site?

What are the settings at /admin/customize/embedding ?

Seems pretty basic…

It is working, however the first post seems to load a long time and often doesn’t refresh on its own. After that I can see “Start Discussion” or the actual replies.

Settings:

Username: benscheirman
Max posts to embed: 100
Regular expression to stripe title: “- NSScreencast$”

Truncate: YES
Imported topics will be unlisted until there is a reply: NO

That is the exact bug we have, and it happens due to a quirky on the browsers about how they handle a refresh in an iFrame using the a tag in the head, which we had to introduce in Extract inline JS on embedded comments by xrav3nz · Pull Request #6645 · discourse/discourse · GitHub to enable CSP.

So the first person to visit a blog post with comments will have to refresh it to see the embed, all subsequent visits will work. We have a proposed fix already and will merge it in a few weeks.

2 Likes