mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 11:20:57 -06:00
1cebe7670a
New site setting: `embed_any_origin` that will send postMessages to wildcard origins `*` instead of the referer. Most of the time you won't want to do this, so the setting is default to `false`. However, there are certain situations where you want to allow embedding to send post messages when there is no HTTP REFERER. For example, if you created a native mobile app and you wanted to embed a list of Discourse topics as HTML. In the code your HTML would be a static file/string, which would not be able to send a referer. In this case, the site setting will allow the embed to work. From a security standpoint we currently only use `postMessage` to send data about the size of the HTML document and scroll position, so it should be enable if required with minimal security ramifications.
25 lines
662 B
Plaintext
25 lines
662 B
Plaintext
<!DOCTYPE html>
|
|
<html<%= raw @embeddable_css_class -%>>
|
|
<head>
|
|
<meta charset="utf-8">
|
|
|
|
<%= discourse_stylesheet_link_tag 'embed', theme_ids: nil %>
|
|
<%- unless customization_disabled? %>
|
|
<%= discourse_stylesheet_link_tag :embedded_theme %>
|
|
<%- end %>
|
|
<%= preload_script 'break_string' %>
|
|
|
|
<%- if @topic_view && @topic_view.page_title.present? %>
|
|
<title><%= @topic_view.page_title %> - <%= SiteSetting.title %></title>
|
|
<%- end %>
|
|
|
|
<meta id="data-embedded" data-referer="<%= @data_referer %>">
|
|
<%= preload_script 'embed-application' %>
|
|
|
|
<%= yield :head %>
|
|
</head>
|
|
<body>
|
|
<%= yield %>
|
|
</body>
|
|
</html>
|