Bad CSP policy JS file


I installed Discourse instance yesterday, and today it shows dark page and in console I see

Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'report-sample' [url]/logs/ [url]/sidekiq/ [url]/mini-profiler-resources/ [url]/assets/ [url]/brotli_asset/ [url]/extra-locales/ [url]/highlight-js/ [url]/javascripts/ [url]/plugins/ [url]/theme-javascripts/ [url]/svg-sprite/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
A bad HTTP response code (404) was received when fetching the script.

How can I fix it?

Disable cloudflare for your site in your cloudflare control panel. The Rocket Loader feature in particular is absolutely incompatible with Discourse.

1 Like

Could you please elaborate as to why this is “absolutely” incompatible? I use this on other rails apps that are heavily customized and optimized with success (usually after a little debugging). I’m curious as to why Discourse hasn’t been reworked to make this functional with the full CloudFlare suite of services since it’s so heavily used.

Ask CloudFlare why, it’s their code, not ours.

There’s not really any benefit or incentive here.

You’re appear to be operating under the assumption that Cloudflare can optimize Discourse code better than CDCKs own developers. What are you basing that on?

Cloudflare is ok as a cache, but all performance features need to be disabled, otherwise your install is completely unsupported.

From some discussion I’ve seen on here, there appears to be issues with the meaningful first paint appearing quickly enough in various tests have been returning such results. I was hopeful that Rocket Loader might reduce that further while actual work goes on in this area to resolve it.

No, that will make it worse. Discourse is a JavaScript application, so first load is going to cost a bit more as the app is downloaded into the browser’s JavaScript runtime.


Thanks for clarifying.

Technically it should work, but if it doesn’t, that’s because Cloudflare wrote bad code. You should mail them about it if you wish to pursue this further. We can’t control Cloudflare’s code because we… aren’t Cloudflare.

I hope that’s clear enough.

1 Like