1cebe7670a
New site setting: `embed_any_origin` that will send postMessages to wildcard origins `*` instead of the referer. Most of the time you won't want to do this, so the setting is default to `false`. However, there are certain situations where you want to allow embedding to send post messages when there is no HTTP REFERER. For example, if you created a native mobile app and you wanted to embed a list of Discourse topics as HTML. In the code your HTML would be a static file/string, which would not be able to send a referer. In this case, the site setting will allow the embed to work. From a security standpoint we currently only use `postMessage` to send data about the size of the HTML document and scroll position, so it should be enable if required with minimal security ramifications. |
||
|---|---|---|
| .. | ||
| cloud/cloud66 | ||
| environments | ||
| initializers | ||
| locales | ||
| application.rb | ||
| boot.rb | ||
| cdn.yml.sample | ||
| database.yml | ||
| deploy.rb.sample | ||
| discourse_defaults.conf | ||
| discourse.config.sample | ||
| discourse.pill.sample | ||
| environment.rb | ||
| logrotate.conf | ||
| multisite.yml.production-sample | ||
| nginx.global.conf | ||
| nginx.sample.conf | ||
| projections.json | ||
| puma.rb | ||
| routes.rb | ||
| sidekiq.yml | ||
| site_settings.yml | ||
| spring.rb | ||
| thin.yml.sample | ||
| unicorn_launcher | ||
| unicorn_upstart.conf | ||
| unicorn.conf.rb | ||