Multiple cors origins on hosted discourse?

Hi, hope I’m asking at the right place! We want to use a hosted (as in paid) discourse account and embed it on three sites to power their comment sections.

It is my understanding that I would need to whitelist 3 domains as cors origins which I’ve done like so:

It seems however upon some testing that only the first domain is returned:

It is my understanding that it’s not possible to return multiple origins in the cors header. In our company we’ve worked around that by checking the origin, and matching it against a short whitelist. If it occurs, we return that specific origin for the current request. That way multiple origins can indeed be supported.

Could this be something you’d be willing to support/implement or should we go for a self-hosted solution and hack around this? For one thing, I think the way the interface is now, you would expect it allows multiple origins.

Would be awesome if you’d consider this, as I’m looking forward very much to building a community for our open source projects with discourse! <3

If the origin of the request matches one of the listed origins, then we return that as the allowed CORS origin.

So it should already be working for you.


Okay then it must be something fishy on my end. I’ll dive deeper, thanks a lot for verifying this for me!

So, as far as I can tell, all requests are coming through correctly. Here are the ones from

And these are from our server:

There are no errors in the console (that relate to discourse, or would stop javascript execution):

Yet I keep seeing that “Error Embedding” message when testing locally. From the server side, I have configured these four allowed embedding hosts:

… as well as enabled these CORS origins:

which according to these instructions are the common things that go wrong.

I’m sure I’m doing something silly but since there’s no error I’m unsure how to debug this further. Would you have clues?

Just deployed it to production so you can have a look: Releasing our official Python SDK | Transloadit

Getting these errors:

Refused to display '' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

(which I believe is set on your end and should really allow us to iframe, correct?)


VM2928 comments? Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('') does not match the recipient window's origin ('').
postUp @ VM2928 comments?
window.onload @ VM2928 comments?

Which just confuses me a great deal :slight_smile:

You can see topics are being created now: Major improvements to our Go SDK - Website comments - Transloadit Community

But the iframing does not work. Could this be because we enabled HTTPS and your HTTPS terminator sets some additional security enhancing headers that are not compatible with embedding?

Hi, just wanted to let you know we’re taking a look at this.


@sam thinks we have fixed this, and have deployed, can you try again and let us know?


Just tested and it works like a charm! Thanks for the fix, and thanks for a great product!


Note, the error was actually nothing to do with the CORS origins, instead it was a particular HTML structure our “except parser” exploded on. If you had empty content in certain nodes we were totally unable to generate excerpts, something that broke topic creation.