Hi,
I now have a way simpler solution. It’s something that should probably be called out in Embedding Discourse Comments via Javascript :
For cross-site embedding, in the embedding pages, add either
-
<meta name="referrer" content="strict-origin">withPath Allowlistset to/.*(because no path will be provided), or -
<meta name="referrer" content="no-referrer-when-downgrade">with the actualPath Allowlist.
As mentioned in Referrer-Policy - HTTP | MDN, “There is effort from browsers in moving to a stricter default value,” and Discourse embedding relies on the old default for cross-host embedding.
Cheers, Axel.