No `Referer:`, no embedding

Hi,

I now have a way simpler solution. It’s something that should probably be called out in Embedding Discourse Comments via Javascript :

For cross-site embedding, in the embedding pages, add either

  • <meta name="referrer" content="strict-origin"> with Path Allowlist set to /.* (because no path will be provided), or
  • <meta name="referrer" content="no-referrer-when-downgrade"> with the actual Path Allowlist.

As mentioned in Referrer-Policy - HTTP | MDN, “There is effort from browsers in moving to a stricter default value,” and Discourse embedding relies on the old default for cross-host embedding.

Cheers, Axel.

2 Likes