Automatically adding theme scripts to CSP

david · April 23, 2020, 5:05pm

We often see support topics from people trying to add external javascript references to their themes. By default, the content security policy will block this, and the admin has to manually add the script to the CSP site setting (or a theme setting/modifier).

However, @Johani made an excellent suggestion on how we can improve it.

Rather than asking theme developers to copy/paste things around the admin UI, we can do this automatically. We can parse all of the HTML in a theme, extract the src of any external scripts, and add it to the CSP.

After all, computers are a lot better at repetitive copy/paste than humans!

I opened a PR which implements that:

https://github.com/discourse/discourse/pull/9531

pmusaraj · April 27, 2020, 2:25pm

I am seeing some console errors locally:

In production environments, I also see sources added in the format https://CDN_SERVER/theme-javascripts/31657759d037d8c06397e9965a1113169100846e.js... which is redundant, because the policy already whitelists https://CDN_SERVER/theme-javascripts. Probably limit the auto-extension to to external script sources only?

david · April 27, 2020, 2:59pm

Thanks @pmusaraj, I added some more checks to make sure we don’t serve invalid urls in the CSP, and also made sure theme-javascript URLs are excluded:

https://github.com/discourse/discourse/commit/f95609ae23ce1604b5f53c9d232e66895cfc9ee7

fzngagan · October 23, 2020, 1:02pm

This is awesome. @merefield isn’t this super cool?

Topic		Replies	Views
Add own CSP headers support	5	312	June 16, 2023
CSP error: Couldn't parse invalid host /theme-javascripts/ support	5	1327	May 28, 2020
"Refused to load the script" when adding adsense support	3	1307	March 10, 2019
Adding JavaScript to a theme in /head not working (UserWay) support	4	1146	May 29, 2020
Experimenting with a 'strict-dynamic' Content Security Policy (CSP) admins	0	469	February 16, 2024

Automatically adding theme scripts to CSP

Related Topics