Help with Embed: Unable to post message to [discourse]. Receipient has origin [mydomain]

benscheirman · June 1, 2021, 5:41pm

I have a new Discourse set up and am trying to embed comments on a page on another site.

When I run this in Safari I get this error in the JavaScript console:

Unrecognized Content-Security-Policy directive 'worker-src'.

The embed page shows “Loading discussion…” for about 30 seconds.

Then I see this in the console:

Unrecognized Content-Security-Policy directive 'worker-src'.
Unrecognized Content-Security-Policy directive 'worker-src'.
Unable to post message to https://forum.nsscreencast.com. Recipient has origin https://nsscreencast.com.

I presume this is to have the iframe self-size after content is loaded. When I run this in a Chromium-based browser I don’t get this error.

Is there something I need to configure to get this postMessage flow working in Safari?

Falco · June 1, 2021, 6:00pm

This is something we are going to fix soon. We rely on the referer for embed requests to check if they are allowed, but recent changes to browsers broke a lot of our assumptions in this area.

benscheirman · June 1, 2021, 6:01pm

Thanks for the quick reply. Anything I can do in the meantime to get around this? i.e. implementing some custom JS on the embedding site?

Falco · June 1, 2021, 6:23pm

What are the settings at /admin/customize/embedding ?

benscheirman · June 1, 2021, 6:38pm

Seems pretty basic…

It is working, however the first post seems to load a long time and often doesn’t refresh on its own. After that I can see “Start Discussion” or the actual replies.

Settings:

Username: benscheirman
Max posts to embed: 100
Regular expression to stripe title: “- NSScreencast$”

Truncate: YES
Imported topics will be unlisted until there is a reply: NO

Falco · June 1, 2021, 6:44pm

That is the exact bug we have, and it happens due to a quirky on the browsers about how they handle a refresh in an iFrame using the a tag in the head, which we had to introduce in Extract inline JS on embedded comments by xrav3nz · Pull Request #6645 · discourse/discourse · GitHub to enable CSP.

So the first person to visit a blog post with comments will have to refresh it to see the embed, all subsequent visits will work. We have a proposed fix already and will merge it in a few weeks.

benscheirman · July 11, 2021, 2:30am

I wanted to follow up on this and see if this fix was merged. If not, can you link the PR here so I can track it?

Falco · July 15, 2021, 10:03pm

https://github.com/discourse/discourse/pull/13756

Falco · July 19, 2021, 11:00am

This topic was automatically closed after 2 days. New replies are no longer allowed.

Topic		Replies	Views
Embedding on NextJS - Stuck on Loading and constant iframe refresh Support unsupported-install	1	1261	June 7, 2022
Some pages on my site won't fully embed comments Support	11	1474	September 27, 2017
Discourse blog comments like your blog comments Support	8	2939	June 9, 2019
Embedding Discourse Comments via Javascript over https Support	3	643	March 1, 2020
First load on embedded comments fail on WebKit Bug	3	775	August 8, 2017

Help with Embed: Unable to post message to [discourse]. Receipient has origin [mydomain]

Settings:

Related topics