Hi, hope I’m asking at the right place! We want to use a hosted (as in paid) discourse account and embed it on three sites to power their comment sections.
It is my understanding that it’s not possible to return multiple origins in the cors header. In our company we’ve worked around that by checking the origin, and matching it against a short whitelist. If it occurs, we return that specific origin for the current request. That way multiple origins can indeed be supported.
Could this be something you’d be willing to support/implement or should we go for a self-hosted solution and hack around this? For one thing, I think the way the interface is now, you would expect it allows multiple origins.
Would be awesome if you’d consider this, as I’m looking forward very much to building a community for our open source projects with discourse! <3
Refused to display 'https://community.transloadit.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
(which I believe is set on your end and should really allow us to iframe, correct?)
and:
VM2928 comments?embed_url=https%3A%2F%2Ftransloadit.com%2Fblog%2F2017%2F08%2Fpython-sdk-release%2F:17 Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://community.transloadit.com') does not match the recipient window's origin ('https://transloadit.com').
postUp @ VM2928 comments?embed_url=https%3A%2F%2Ftransloadit.com%2Fblog%2F2017%2F08%2Fpython-sdk-release%2F:17
window.onload @ VM2928 comments?embed_url=https%3A%2F%2Ftransloadit.com%2Fblog%2F2017%2F08%2Fpython-sdk-release%2F:38
But the iframing does not work. Could this be because we enabled HTTPS and your HTTPS terminator sets some additional security enhancing headers that are not compatible with embedding?
Note, the error was actually nothing to do with the CORS origins, instead it was a particular HTML structure our “except parser” exploded on. If you had empty content in certain nodes we were totally unable to generate excerpts, something that broke topic creation.