URL do CDN deve ser adicionada ao src do script CSP

Tenho um site configurado com variáveis de ambiente (ENV) assim:

DISCOURSE_FORCE_HTTPS: true
DISCOURSE_S3_ACCESS_KEY_ID: 'KEY'
DISCOURSE_S3_SECRET_ACCESS_KEY: 'SECRET'
DISCOURSE_BACKUP_LOCATION: 's3'
DISCOURSE_ENABLE_S3_UPLOADS: true
DISCOURSE_ENABLE_S3_INVENTORY: false
DISCOURSE_S3_BACKUP_BUCKET: 'mybucket/backups'
DISCOURSE_S3_UPLOAD_BUCKET: 'mybucket'
DISCOURSE_S3_CDN_URL: 'https://mybuckets3.cdn.literatehosting.com'
DISCOURSE_S3_REGION: 'us-west-1'
DISCOURSE_BACKUP_WITH_UPLOADS: 'false'
DISCOURSE_CDN_URL: 'https://mybucket.cdn.literatehosting.com'

Funcionava perfeitamente até que adicionei a s3 cdn url. Após adicionar o CDN do S3, meu navegador começou a rejeitar solicitações para o CDN normal (não S3). Adicionei a URL do CDN em SiteSetting.content_security_policy_script_src= e, em seguida, voltou a funcionar. Isso parece ser um bug, não? Fiz apenas um reinício após alterar essas variáveis de ambiente, não uma reconstrução. Preciso executar um rake assets:precompile quando altero as configurações do CDN?

Hmm, this should be working fine. The CSP is supposed to whitelist the specific folders on the S3 and pull CDNs that scripts come from.

What CSP was/is Discourse sending with the page? Is this a subfolder install?

I think I understand that. Is that CSP in the static assets that a rake assets:precompile makes? (But then why would adding it to the settings fix it.)

I’m afraid that I don’t quite know the canonical way to get the answer to that question.

Not subfolder. A fairly standard install, though traefik is a reverse proxy in front of it.

curl -I https://discourse.example.com/ or the Chrome inspector, and get the content of the Content-Security-Policy header.