Can't get script tag to work in landing pages plugin due to content-security-policy

TheNab · June 30, 2025, 12:54am

inline js script tag isn’t being loaded due to csp and idk how to fix it.

awesomerobot · June 30, 2025, 1:12pm

There’s some information in this post that may help: Mitigate XSS Attacks with Content Security Policy

Mitigate XSS Attacks with Content Security Policy

CSP and third-party integrations

When using third-party services like Google Tag Manager, Google Analytics, or advertising services, you may need to adjust your CSP settings. In most cases with Discourse version 3.3.0.beta1 or later, external scripts should work without additional configuration due to the ‘strict-dynamic’ CSP implementation.

If you encounter issues, you may need to:

Identify the required script sources by monitoring your browser console

Add the necessary sources to the content_security_policy_script_src setting

For complex integrations like ad services which load external resources, you might need to enable cross-domain rendering (Example PR from discourse-adplugin that does this).

Best practices

Start with CSP Report-Only mode to identify potential issues

Gradually tighten your CSP as you resolve legitimate violations

Regularly review your CSP settings and adjust as needed

Be cautious when adding permissive directives like 'unsafe-eval' or 'wasm-unsafe-eval'

Keep your Discourse instance updated to benefit from the latest CSP improvements

TheNab · June 30, 2025, 5:14pm

I’ve read through that and others but cannot piece together how to actually add the exception to the content_security_policy_script_src

Topic		Replies	Views
"Refused to load the script" when adding adsense Support	3	1420	March 10, 2019
GTM Refused to load the script because it violates the Content Security Policy Data & reporting	3	3335	June 16, 2021
Mitigate XSS Attacks with Content Security Policy Site Management how-to , content-security-policy	32	23964	June 13, 2023
Cannot add content security policy script src Support	2	69	January 1, 2025
We couldn't find the code on your site Support advertising	9	2321	October 18, 2022

Can't get script tag to work in landing pages plugin due to content-security-policy

Related topics