We use Discourse embedding for Jekyll at New ROOT Web Site! - ROOT - works like a charm! Unless - the browser is suppressing the Referer: header, in which case we get a 400 Bad Request. Try yourself - if you switch to a private Firefox window (which suppresses referrers) then embedding is broken. Same for Safari which seems to be a bit stricter on handing out referrers.
Thanks for looking at this! It could very well be related to the difference in domain names: I could imagine that browsers are providing referrers for a request to the same domain, but not to a different domain. But while that’s interesting I don’t yet see what we can do to fix this - we won’t be able to use root.cern as the forum domain, and that cross-domain embedding seemed a key and super useful feature… Is this simply at risk these days, given improved privacy, or can you think of a way out?
Something I might want to try is reverse proxying from root.cern/forum to root-forum.cern.ch. That way, the embedding can be done as if it’s on the same host, and we keep a referrer…? I’ll be back
For cross-site embedding, in the embedding pages, add either
<meta name="referrer" content="strict-origin"> with Path Allowlist set to /.* (because no path will be provided), or
<meta name="referrer" content="no-referrer-when-downgrade"> with the actual Path Allowlist.
As mentioned in Referrer-Policy - HTTP | MDN, “There is effort from browsers in moving to a stricter default value,” and Discourse embedding relies on the old default for cross-host embedding.
Just a warning, Tejas - AFAIK without the meta tag, Safari and Firefox / Private suppress the Referer header completely. What you suggest might work for Chrome >= 85, but adding the meta tag seems more robust / general and I suspect is sufficiently trivial for most embeddings?