Thank you for providing such a fantastic product! My community and I have enjoyed using it for years. Recently, we encountered an issue, and I would greatly appreciate any assistance.
After upgrading from Discourse 3.3.0 to 3.4.0, new users are seeing a blank page (header and footer only) when clicking the email verification link to reach the “activate-account” page.
Adjusted the policy and cleared the cache, but it didn’t resolve the issue.
Tried Modifying CSP through Discourse Admin Panel: Added ‘self’, ‘unsafe-eval’, and attempted SHA256 hashing. We also referenced this article but saw no change.
The /cdn-cgi/speculation endpoint is added to domains registered on Cloudflare when the “Speed Brain” feature is enabled. Speed Brain is intended to speed up a website’s performance by allowing Cloudflare to prefetch content when a user hovers over a link. I’m not sure this is compatible with Discourse.
I see the Speculation-Rules header is being returned with the response when I visit https://community.lezismore.org/login. That indicates that the Speed Brain feature is enabled. From the Cloudflare docs, it seems that it is enabled by default.
Can you try disabling Speed Brain from the Speed tab of your Cloudflare dashboard? Instructions for how to do that are here: Speed Brain | Cloudflare Speed docs.
The “Caveats” section of the docs I linked to says:
Speed Brain will not work with restrictive Content Security Policy configurations using strict-dynamic or nonce-{hash} attributes.
If Speed Brain is compatible with Discourse, we’ll have to figure out how to add it to the Content Security rules.