Is it possible to avoid 'Access-Control-Allow-Origin' using token?


(Matthieu) #1

First, I’m certainly not a web-dev so maybe that I will say is completely non-sense and probably it does but it is how we learn.

I’m trying to embed discourse content on a webpage and I’m facing the ‘Access-Control-Allow-Origin’ problem.
I saw there is some sort of plugin to configure the discourse instance to allow it:
https://meta.discourse.org/t/x-frame-options-sameorigin-header-prevents-embedding/14928?source_topic_id=30076

Yet I also saw it is possible to add authorization in the header when doing an HTTP get request.

Is there any way to specify somehow a private authorization key so I can load the content without having to change the X-Frame-Options for everyone doing http request to my forum?

For info, here is the way I’m getting data:

app.service('discourse', function($http) {
  delete $http.defaults.headers.common['X-Requested-With'];
  this.getData = function(callbackFunc) {
      $http({
          method: 'GET',
          url: 'https://forum.poppy-project.org/t/birth-of-poppy-ergo-jr-and-support-for-low-cost-xl-320-motors/1052.json',
          params: 'limit=10, sort_by=created:desc',
          headers: {'Authorization': 'Token token=xxxxYYYYZzzz'}
       }).success(function(data){
          // With the data succesfully returned, call our callback
          callbackFunc(data);
      }).error(function(){
          alert("error while trying to fetch data");
      });
   }
});