Issue with Activate Account Page After Update to 3.4.0 (Blank Page)

Support
1

Hi Discourse Team,

Thank you for providing such a fantastic product! My community and I have enjoyed using it for years. Recently, we encountered an issue, and I would greatly appreciate any assistance.

After upgrading from Discourse 3.3.0 to 3.4.0, new users are seeing a blank page (header and footer only) when clicking the email verification link to reach the “activate-account” page.

2540×1320 179 KB


(test link will provide in the end of this article)

Steps Taken So Far:

  1. Checked Developer Console: Error indicates CSP blocking external scripts.

    截圖 2024-09-21 晚上11.36.09
    截圖 2024-09-21 晚上11.36.091862×1218 394 KB

  2. Tried Modifying CSP through Cloudflare:

    1040×1280 121 KB

    Adjusted the policy and cleared the cache, but it didn’t resolve the issue.

  3. Tried Modifying CSP through Discourse Admin Panel: Added ‘self’, ‘unsafe-eval’, and attempted SHA256 hashing. We also referenced this article but saw no change.

  4. error message:

    This is a screenshot of a webpage with text content, displaying a policy script and a red warning label. (Captioned by AI)
    This is a screenshot of a webpage with text content, displaying a policy script and a red warning label. (Captioned by AI)1280×515 112 KB

    Tried various inputs (e.g., ‘self’, ‘unsafe-eval’) and even set the policy to “report only” mode. Still, no effect.
    image
    image810×201 44.2 KB

  5. Cleared Cache: No change.

  6. Rebuild the App: Rebuild Discourse and cleared the cache afterward, but the issue persists.

Interestingly, this problem doesn’t affect every new user. We found that around 90% of our new users face this issue.

Any suggestions or solutions would be greatly appreciated! Thank you!

2

Did you try safe-mode?

3

@pfaffman
Just tried and saw this:

2558×1204 411 KB

4

There is another site reporting CSP errors related to the /cdn-cgi/speculation endpoint: Refused to load the script 'xxxx.com/cdn-cgi/speculation' because it violates the following Content Security Policy directive - #2 by simon. I am not aware of similar issues that have been reported in the past. Maybe something has changed either on Cloudflare or in Discourse 3.4.0.

The /cdn-cgi/speculation endpoint is added to domains registered on Cloudflare when the “Speed Brain” feature is enabled. Speed Brain is intended to speed up a website’s performance by allowing Cloudflare to prefetch content when a user hovers over a link. I’m not sure this is compatible with Discourse.

I see the Speculation-Rules header is being returned with the response when I visit https://community.lezismore.org/login. That indicates that the Speed Brain feature is enabled. From the Cloudflare docs, it seems that it is enabled by default.

Can you try disabling Speed Brain from the Speed tab of your Cloudflare dashboard? Instructions for how to do that are here: Speed Brain | Cloudflare Speed docs.

The “Caveats” section of the docs I linked to says:

  • Speed Brain will not work with restrictive Content Security Policy :arrow_upper_right: configurations using strict-dynamic or nonce-{hash} attributes.

If Speed Brain is compatible with Discourse, we’ll have to figure out how to add it to the Content Security rules.

2 Likes
5

Thank you for your response.

I have already disabled the Speed Brain setting in Cloudflare and cleared the cache as suggested, but unfortunately, the issue persists.

2558×864 198 KB

Here’s the link to today’s new testing active account page, for anyone who’s interested: https://community.lezismore.org/users/activate-account/34180b9eed9e1a1a1dbcca7eab66fb43

6

Are you able to login to the site? If so, do you see any error messages on its error logs page (https://community.lezismore.org/logs)?

1 Like