Hi,
I now have a way simpler solution. It’s something that should probably be called out in Embed Discourse comments on another website via Javascript :
For cross-site embedding, in the embedding pages, add either
<meta name="referrer" content="strict-origin">withPath Allowlistset to/.*(because no path will be provided), or<meta name="referrer" content="no-referrer-when-downgrade">with the actualPath Allowlist.
As mentioned in Referrer-Policy header - HTTP | MDN, “There is effort from browsers in moving to a stricter default value,” and Discourse embedding relies on the old default for cross-host embedding.
Cheers, Axel.