Add support to only allow specific origins

[laymonage]

Utterances supports origin allowlisting using utterances.json. This is helpful to prevent unknown sites from using giscus with any user's repository discussions.

[laymonage]

https://stackoverflow.com/questions/62412608/how-do-i-get-file-contents-from-github-apiv4-on-the-default-branch

{
  repository(owner: $owner, name: $name) {
    object(expression: "HEAD:giscus.json") {
      ... on Blob {
        text
      }
    }
  }
}

This would help us prevent something like utterance/utterances#523.

[laymonage]

Looks like we don't need to use the GraphQL API.

We can just call something like

https://api.github.com/repos/laymonage/giscus/contents/README.md

and get decode the content.

[samarulmeu]

Sorry for the, probably, dumb question, but does it already exists a way to specify that I can allow only my http://example.com site to post and read comments?

[laymonage]

@samarulmeu Hey, no, that's a good question. I'm still working on the feature, it's nearly done. I'm looking to push it this weekend.

[laymonage]

Sorry for the delay @samarulmeu, I was feeling unwell. It's implemented in #125, you can see the guide here. Please test it when you have the time. Thanks!

[samarulmeu]

@laymonage Thank you so much! This is a great news. I was waiting for this before implementing it on my blog.

I will test it tomorrow.

Take care of your health. It is the most important.

[samarulmeu]

Please tell me if I did something wrong.

You can see the giscus.json file here, but I can still post comments from other domains (https://cttrl-git-fixednav-samarul.vercel.app).

[laymonage]

Hey @samarulmeu, thanks for the report.
I've shipped de316dc which should fix the issue.

[samarulmeu]

Thank you! Now it is working. I tested even the regex (the giscus example) and it is working.