After upgrade the content security policy script src for GTM

we was updated Discourse @ 2021-04-08.

Then we noticed the content_security_policy may have some issue.

GTM for content security policy script src

F12 for console:

This happened updated to newest version of discourse.

1 Like

Can you show us the full CSP header as sent?

1 Like

@supermathie

Thank you very much for your quick response.

I tried to load header from Firefox, I am not sure did I do something right.

Please see attachment of the screen.

Changed to Chrome.

In here, maybe you can have more detail for the request.

Things must have changed since the original post since it’s now behaving as it should:

○ → curl -I https://www.ossez.com
HTTP/2 200 
…
content-security-policy: base-uri 'none'; object-src 'none'; script-src https://www.ossez.com/logs/ https://www.ossez.com/sidekiq/ https://www.ossez.com/mini-profiler-resources/ https://www.ossez.com/assets/ https://www.ossez.com/brotli_asset/ https://www.ossez.com/extra-locales/ https://www.ossez.com/highlight-js/ https://www.ossez.com/javascripts/ https://www.ossez.com/plugins/ https://www.ossez.com/theme-javascripts/ https://www.ossez.com/svg-sprite/ https://www.googletagmanager.com/gtm.js 'nonce-38d2a45e5e933b869e14465772b2c0de' https: https://tagmanager.google.com https://www.googletagmanager.com 'unsafe-inline' https://analytics.ossez.com/matomo.js https://www.ossez.com/cdn-cgi/apps/head/qk5vBDFy7qBIoPy3q8a6LUoKei8.js https://www.googletagmanager.com/gtm.js; worker-src 'self' https://www.ossez.com/assets/ https://www.ossez.com/brotli_asset/ https://www.ossez.com/javascripts/ https://www.ossez.com/plugins/

‘unsafe-inline’ is now properly quoted, but is being ignored by Chrome:

Refused to execute inline script because it violates the following Content Security Policy directive: […] Note that ‘unsafe-inline’ is ignored if either a hash or nonce value is present in the source list.

and Firefox:

Content Security Policy: Ignoring “‘unsafe-inline’” within script-src or style-src: nonce-source or hash-source specified

since you’ve specified a nonce value in the CSP list: 'nonce-38d2a45e5e933b869e14465772b2c0de'

I see that you’re behind Cloudflare; please note that you have to disable various Cloudflare features since by default they will break Discourse.

4 Likes

Thank you very much.

1 Like