Is it possible to avoid 'Access-Control-Allow-Origin' using token?

(Matthieu) #1

First, I’m certainly not a web-dev so maybe that I will say is completely non-sense and probably it does but it is how we learn.

I’m trying to embed discourse content on a webpage and I’m facing the ‘Access-Control-Allow-Origin’ problem.
I saw there is some sort of plugin to configure the discourse instance to allow it:

Yet I also saw it is possible to add authorization in the header when doing an HTTP get request.

Is there any way to specify somehow a private authorization key so I can load the content without having to change the X-Frame-Options for everyone doing http request to my forum?

For info, here is the way I’m getting data:

app.service('discourse', function($http) {
  delete $http.defaults.headers.common['X-Requested-With'];
  this.getData = function(callbackFunc) {
          method: 'GET',
          url: '',
          params: 'limit=10, sort_by=created:desc',
          headers: {'Authorization': 'Token token=xxxxYYYYZzzz'}
          // With the data succesfully returned, call our callback
          alert("error while trying to fetch data");