Hello there!

I am requesting two additions to the meta.tag parent CSP for embeds. Specifically for discord, there are currently both https://discordapp.com and https://discord.com. This works great for the majority of users that use the stable app. However, a not insignificant amount of users use PTB (Beta) and Canary (Alpha) which use a different subdomain and thus get blocked by CSP from playing clips etc…

There are two potential solutions to this:

  1. Discord changes from meta.tag parent to whatever domain the client is using. This seems to be a non-solution due to discord’s scale and given that meta.tag does exist for these larger sites. Furthermore, this has seemingly been denied here :anchor: T647 Twitch embeds will not play on canary or PTB (discord.com)
  2. https://ptb.discord.com and https://canary.discord.com get added to the list that already exists for the meta.tag parent. An additional benefit of this is that all past embeds will also work, not only new ones.

I don’t know for sure if the https://discordapp.com should be removed in this change, but I believe it should as it should never be a parent anymore, only being used for cdn, and redirecting when trying to access the client.

That sounds like all things that Discord needs to do. Since they convert the URL pasted into Discord into an embed.

But for Canary/PTB they don’t use the right information to construct the embed with.

I don’t think Twitch does anything special to allow Discord Embeds to work. So this sounds like it’s on Discord. And if it’s on Twitch then Discord needs to contact Twitch directly for their “special case” but I don’t believe a special case is in place.

Theres nothing you or I can do about this.

They convert it into an embed yes, the first solution would be on discord, but isn’t the second on twitch’s end?

They use a sandboxed iframe within the embed just the way any other site would, except using parent=meta.tag instead of parent=sitename.com Given the CSP returned by using meta.tag it looks like it is generated by Twitch.

Then that means the Disord got Twitch to make something special for Discord embeds.

So then it’s on Discord’s contact with Twitch to organise/request that change.

Edit: either way beyond this forum to help on this matter. I’m not even sure it’s relevant to the Twitch bug tracker, since it’s a Discord bug. So it’s bounced back to Discord to determine what they want/if they want it fixed.

I think that it was made by Twitch for larger social sites to use when parent was first rolled out; reddit, twitter, embedly, and facebook are also in that list. If that’s still something that Discord needs to contact Twitch about I’ll forward that along though.

Yeah coz Twitch doesn’t know if Discord even wants PTB/canary to be on the list or not.

