Support embedding Discourse in an iframe

功能
1

Howdy!

I’m developing a web app, and I’d love to use Discourse as my forums / community discussion platform. One of my main requirements though is that the forum should be able to be opened in an iframe docked to the side of my UI, so that users can browse tutorials, talk to other people, or contact support all within the comfort of the app itself. This is a huge win for UX, and because Discourse is responsive and mobile friendly, a small iframe should work well for this use case. It seems like this would be an awesome feature for Discourse that many people might use.

I saw this old discussion about this topic, which includes one proposed solution.

So I wanted to ask the maintainers and folks here, is this a feature that you would be open to a PR for? Would you consider adding this feature? Are there any issues with that solution that was proposed that would need to be dealt with?

2

The main issue I see is that of opening up possible Security problems. eg.

Cross Frame Scripting

3

Interesting, thanks for pointing that out.

If Cross Frame Scripting was a concern, could we allow people to specify a trusted domain(s)?

For example, the ALLOW-FROM URI in the X-FRAME-OPTIONS header. See here.

4

pasted the wrong URL - link fixed

Yes, sending headers should take care of most if not all security risks.
(I say most because I don’t know if some older browsers might not use the headers)

5

Okie dokie :thumbsup:

6

Not being a developer, this thread leaves me puzzled about what the conclusion is regarding embedding discourse in an IFRAME. When you say:

This sounds to me like: problem solved, especially since - in my case - everything would not only be happening under the same domain but even on the same server. But my understaning is also that this is nevertheless not supported and therefore not recommended for people like me. But why? If trusted domains can be specified?

7

Because it’s an extremely fragile configuration. Discourse expects to control the browser tightly as a JavaScript app. This is not a static 1996 era web page to be slapped in an <iframe> willy-nilly, it’s far more complex.

2 个赞
8

@codinghorror any update on this? Would be great to be able to embed the calendar into our website to make things uniform.

Edit: I just want to be able to embed this page: JuliaLang

9

There might be a hidden setting that turns off the no-iframe directive, I can’t recall at the moment, but we have that in there for good reason.

10

I think this is more of a feature request for the plugin, the embed should be different to the whole page

Cc @j.jaffeux

5 个赞
12

这是一个简单的插件。但是,它不起作用。由于它是在 6 年前更新的,能否通过简单的更改使其正常工作?

# name: 允许 iFrame 嵌入
# about: 更改 X-Frame-Options 以便嵌入站点
# version: 1
# authors: bex-team, riking,

Rails.application.config.action_dispatch.default_headers.merge!({'X-Frame-Options' => 'ALLOWALL'})
13

如果想不受限制地将 Discourse 嵌入 iframe 中,则需要进行两项设置:

  1. 在“设置”中取消选中 CSP 限制

    discourse-csp-setting
    discourse-csp-setting1900×150 24.2 KB

  2. 启用隐藏的站点设置 allow_embedding_site_in_an_iframe

cd /var/discourse
./launcher enter app
rails c
SiteSetting.allow_embedding_site_in_an_iframe=true
exit
exit
2 个赞
14

@denvergeeks 我试过了,但我的论坛仍然无法嵌入 iframe。

15

您要嵌入的网站的网址是什么?

16

forum.dreambyte.ai

17

您发布的网址我根本无法加载……如果您能让它加载,我就可以在我的网站上进行测试,我的网站支持 iframe 嵌入。

Screenshot 2024-04-18 215828
Screenshot 2024-04-18 2158282205×1032 117 KB

18

如果我能在其他网站上嵌入 Discourse 日历,对我来说会非常有帮助。这方面有什么进展吗?