This documentation site is about the unstable (upcoming) Comentario version.  Switch to the stable version »

Allowed origins for embedded Comentario

domain.defaults.embed.origins.allowed

This dynamic configuration parameter defines which domains are allowed to embed Comentario comments.

This parameter contains a comma-separated list of hosts (each consisting of a hostname and an optional port) that are allowed to load and display Comentario comments. The actual host value is derived from the Origin HTTP header by removing its scheme (protocol) specification.

The following rules apply to each individual value:

ValueDescription
$Stands for the current domain’s host itself. This is the default.
*Matches any origin. Adding a * to the list effectively disables any origin checks.
nullMatches opaque origins, such as file: URLs.

Default value

By default, this parameter contains a single $, which means only requests originating from this specific domain will be allowed; requesting comments from a page on any other domain (or from a local .html file) will result in an error.

A more concrete example:

  • You have configured domain example.com in Comentario.
  • You’ve set the Allowed origins for embedded Comentario to a single $.
  • It means that only pages from these URLs will be able to display comments:
    • http://example.com
    • https://example.com
  • But not pages from these URLs:
    • http://subdomain.example.com
    • https://example.org

Use cases

Most use cases for changing this value also involve specifying a different domain-id for comments.

Mirror domain

You may want to share comments across multiple domains, effectively creating domain aliases. For example:

  • Main domain hosting comments is example.com, and it’s registered in Comentario using ID 7d9f8c76-36ef-4f52-a2d4-dc0ed58bed9d.
  • There’s also a mirror at example.org.
  • You host comments using the tag <comentario-comments domain-id="7d9f8c76-36ef-4f52-a2d4-dc0ed58bed9d"></comentario-comments>.
  • You’ll need to set allowed origins to $,example.org (or example.com,example.org) in order for the above to work.

Static website preview

In case of a static website or CMS it’s sensible to check the layout prior to publishing. In most cases you’ll need to add localhost (often with a port number, such as localhost:1313 for Hugo) to the list of allowed origins.

Local HTML file

If you use locally-stored .html files and would like to see Comentario in action, you’ll need to add null to the list.

Disabling origin check

Sometimes it may be necessary to lift any restrictions on serving comments, for example, for testing purposes. Although not recommended (see below), you can set this parameter to a single *, which will disable any origin checks.

WARNING
Disabling origin check is not recommended. If you do so, anyone can “hijack” comments on your domain by using a domain-id attribute pointing to it.

Empty value

Be also aware that an empty value will match nothing, which will effectively disable serving comments for this domain.

See also

Tags: , , , , , ,