Multiple cors origins on hosted discourse?

(Kevin van Zonneveld) #1

Hi, hope I’m asking at the right place! We want to use a hosted (as in paid) discourse account and embed it on three sites to power their comment sections.

It is my understanding that I would need to whitelist 3 domains as cors origins which I’ve done like so:

It seems however upon some testing that only the first domain is returned:

It is my understanding that it’s not possible to return multiple origins in the cors header. In our company we’ve worked around that by checking the origin, and matching it against a short whitelist. If it occurs, we return that specific origin for the current request. That way multiple origins can indeed be supported.

Could this be something you’d be willing to support/implement or should we go for a self-hosted solution and hack around this? For one thing, I think the way the interface is now, you would expect it allows multiple origins.

Would be awesome if you’d consider this, as I’m looking forward very much to building a community for our open source projects with discourse! <3

(Neil Lalonde) #2

If the origin of the request matches one of the listed origins, then we return that as the allowed CORS origin.

So it should already be working for you.

(Kevin van Zonneveld) #3

Okay then it must be something fishy on my end. I’ll dive deeper, thanks a lot for verifying this for me!

(Kevin van Zonneveld) #4

So, as far as I can tell, all requests are coming through correctly. Here are the ones from

And these are from our server:

There are no errors in the console (that relate to discourse, or would stop javascript execution):

Yet I keep seeing that “Error Embedding” message when testing locally. From the server side, I have configured these four allowed embedding hosts:

… as well as enabled these CORS origins:

which according to these instructions are the common things that go wrong.

I’m sure I’m doing something silly but since there’s no error I’m unsure how to debug this further. Would you have clues?

(Kevin van Zonneveld) #5

Just deployed it to production so you can have a look: Releasing our official Python SDK | Transloadit

Getting these errors:

Refused to display '' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

(which I believe is set on your end and should really allow us to iframe, correct?)


VM2928 comments? Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('') does not match the recipient window's origin ('').
postUp @ VM2928 comments?
window.onload @ VM2928 comments?

Which just confuses me a great deal :slight_smile:

You can see topics are being created now: Major improvements to our Go SDK - Website comments - Transloadit Community

But the iframing does not work. Could this be because we enabled HTTPS and your HTTPS terminator sets some additional security enhancing headers that are not compatible with embedding?

(Michael Brown) #7

Hi, just wanted to let you know we’re taking a look at this.

(Jeff Atwood) #11

@sam thinks we have fixed this, and have deployed, can you try again and let us know?

(Kevin van Zonneveld) #12

Just tested and it works like a charm! Thanks for the fix, and thanks for a great product!

(Sam Saffron) #13

Note, the error was actually nothing to do with the CORS origins, instead it was a particular HTML structure our “except parser” exploded on. If you had empty content in certain nodes we were totally unable to generate excerpts, something that broke topic creation.