CDN URL must be added to csp script src

I’ve got a site configured with ENV like this:

  DISCOURSE_FORCE_HTTPS: true
  DISCOURSE_S3_ACCESS_KEY_ID: 'KEY'
  DISCOURSE_S3_SECRET_ACCESS_KEY: 'SECRET'
  DISCOURSE_BACKUP_LOCATION: 's3'
  DISCOURSE_ENABLE_S3_UPLOADS: true
  DISCOURSE_ENABLE_S3_INVENTORY: false
  DISCOURSE_S3_BACKUP_BUCKET: 'mybucket/backups'
  DISCOURSE_S3_UPLOAD_BUCKET: 'mybucket'
  DISCOURSE_S3_CDN_URL: 'https://mybuckets3.cdn.literatehosting.com'
  DISCOURSE_S3_REGION: 'us-west-1'
  DISCOURSE_BACKUP_WITH_UPLOADS: 'false'
  DISCOURSE_CDN_URL: 'https://mybucket.cdn.literatehosting.com'

It worked fine until I added the s3 cdn url. After I added the S3 CDN, my browser started rejecting requests to the normal (not S3) CDN. I added the CDN url to SiteSetting.content_security_policy_script_src= and then it worked again. This seems like a bug, no? I just did a restart after changes these ENV variables, not a rebuild. Do I need to do a rake assets:precompile when I changed the CDN settings?

Hmm, this should be working fine. The CSP is supposed to whitelist the specific folders on the S3 and pull CDNs that scripts come from.

What CSP was/is Discourse sending with the page? Is this a subfolder install?

I think I understand that. Is that CSP in the static assets that a rake assets:precompile makes? (But then why would adding it to the settings fix it.)

I’m afraid that I don’t quite know the canonical way to get the answer to that question.

Not subfolder. A fairly standard install, though traefik is a reverse proxy in front of it.

curl -I https://discourse.example.com/ or the Chrome inspector, and get the content of the Content-Security-Policy header.