1cebe7670a
New site setting: `embed_any_origin` that will send postMessages to wildcard origins `*` instead of the referer. Most of the time you won't want to do this, so the setting is default to `false`. However, there are certain situations where you want to allow embedding to send post messages when there is no HTTP REFERER. For example, if you created a native mobile app and you wanted to embed a list of Discourse topics as HTML. In the code your HTML would be a static file/string, which would not be able to send a referer. In this case, the site setting will allow the embed to work. From a security standpoint we currently only use `postMessage` to send data about the size of the HTML document and scroll position, so it should be enable if required with minimal security ramifications. |
||
|---|---|---|
| .. | ||
| _head.html.erb | ||
| application.html.erb | ||
| crawler.html.erb | ||
| email_template.html.erb | ||
| embed.html.erb | ||
| finish_installation.html.erb | ||
| no_ember.html.erb | ||