Okay… still on my quest to get my adserver to display on Discourse. I ran across this mystery that I can’t figure out. Using the theme editing feature I have added my script request to both </body> and ‘footer’.
If added to the footer (or ‘after header’) the code fails. Even though in inspection mode the encoded text seems to be correct. See below:
I am also not seemingly able to get my Adsense ads working by themselves yet, but maybe that is on their end and they just haven’t scanned the site yet to see what to put up. Odd it’s taking this long though.
Okay so I noted that the CSP log was showing the Google ads script was being blocked so I added
https://pagead2.googlesyndication.com
to the CSP script src list and then my Google Adsense ads started appearing (kind of surprised you still have to do that even with the Adsense plugin installed). The thing I noted though is that with my House Ads set to 100% (so that my script is the only one being called) I get ZERO notification in CSP that there is an issue. So that leaves me right back to being confused. The House Ad code is in the HTML (encoded) and appears as above in the browser inspection view.
Is there something blocking the output but not triggering a CSP warning?
The output uses document.write to create the ad space. I am guessing that is the culprit. The output looks like this:
So… this is all CSP related (I assume) because the site is set to ‘unsafe-inline’ data and I am trying to pull my adserver script with a URL with variables. I know… how barbaric of me.
So… ANYONE? Is there a simple fix for this or should I just give up?
The proper fix is to not use inline and rewrite it to hook into existing EmberJS templates outlets. If you are looking into a band-aid fix, you can disable CSP in the site settings while you work into making the changes to your custom ads solution. Just be aware that may expose you to XSS.
Also where is the Content Security Policy being declared? I don’t see any meta tag for it. Is this just default HTML 5 assumed settings via each browser?
Thanks Falco. Rather than just shut off all protection is there a way I can whitelist data strings for just the adserver URL and allow those variables through. Or… just turn off the “‘unsafe-inline’ data” requirement?
I don’t see that option outlined in the article you linked unfortunately.
And yet still the ad will not display in the main section of the site, only the footer where it’s installed in the theme in </body>. I did realize there is a <noscript> wrapper around the center section though and that footer one is outside the close of the </noscript> so maybe that is why?
I checked in Firefox and my console now shows no CSP warnings. Not sure why I was never seeing them in Chrome to start with.
Discourse is a Single Page Application and all the page markup is create client-side via our EmberJS application.
Using direct DOM manipulation like document.write is in direct conflict with the whole thing and has a really low change of “just working”.
I’d recommend trying to adapt you ads system to use our House Ads in the official Ad Plugin system. Maybe you can have a single ad in the house ads inventory, and use the page change hook to contact the ad server and replace the ad with the response? Or maybe your ad system can write to the House Ads inventory directly via API?
Thanks for the help Falco. A bit scary but the codebase for this adserver was written prior to the term API being created so… yeah I would be better off writing an entirely new adserver system from scratch. I just don’t have the time for that right now as I am deploying this new forum and 6+ new content sites as well.
I will play around with some alternate options to using document.write and see if that can work.
