Confused about remotely loaded javascript content

Okay… still on my quest to get my adserver to display on Discourse. I ran across this mystery that I can’t figure out. Using the theme editing feature I have added my script request to both </body> and ‘footer’.

If added to the footer (or ‘after header’) the code fails. Even though in inspection mode the encoded text seems to be correct. See below:

The “Where is this?” text shows up, but nothing else.

However the same script request (below) added to </body> works. Why?

<script language="Javascript" src="https://adserver.kitmaker.net/index.php?section=serve&action=1">

I have tried adding this to the House Ads data field and again the text is part of the encoded data on the page, but nothing.

creatives\&quot;:{\&quot;Leaderboard Ad\&quot;:\&quot;\\u003cscript language=\\\&quot;Javascript\\\&quot; src=\\\&quot;https://adserver.kitmaker.net/index.php?section=serve\\u0026action=1\\\&quot;\\u003e\&quot;}},\&quot;

I am also not seemingly able to get my Adsense ads working by themselves yet, but maybe that is on their end and they just haven’t scanned the site yet to see what to put up. Odd it’s taking this long though.

Thanks for any help.

Jim

Hopefully a developer will see this one. :slight_smile:

Can I ask that a moderator put this in support or whatever category makes sense. I left it uncategorized.

Thanks. And sorry to be such a nudge on this but I am coming up on a deployment deadline and I really need to figure this issue out.

Okay so I noted that the CSP log was showing the Google ads script was being blocked so I added

https://pagead2.googlesyndication.com

to the CSP script src list and then my Google Adsense ads started appearing (kind of surprised you still have to do that even with the Adsense plugin installed). The thing I noted though is that with my House Ads set to 100% (so that my script is the only one being called) I get ZERO notification in CSP that there is an issue. So that leaves me right back to being confused. The House Ad code is in the HTML (encoded) and appears as above in the browser inspection view.

Is there something blocking the output but not triggering a CSP warning?

The output uses document.write to create the ad space. I am guessing that is the culprit. The output looks like this:

Lol… if I put the script output in here in text it was generating just fine. Doh…

I did find this post with a similar issue, but this person figured it out on their own and is clearly better with javascript than I.

As with him though I am willing to pay someone for help with this.

Thanks,
Jim

1 Like

So… this is all CSP related (I assume) because the site is set to ‘unsafe-inline’ data and I am trying to pull my adserver script with a URL with variables. I know… how barbaric of me.

So… ANYONE? Is there a simple fix for this or should I just give up?

The proper fix is to not use inline and rewrite it to hook into existing EmberJS templates outlets. If you are looking into a band-aid fix, you can disable CSP in the site settings while you work into making the changes to your custom ads solution. Just be aware that may expose you to XSS.

You can also look into adding your server to a fork of the adplugin, like it was done in this PR: https://github.com/discourse/discourse-adplugin/pull/80/files or https://github.com/discourse/discourse-adplugin/pull/73/files or even https://github.com/discourse/discourse-adplugin/pull/65

4 Likes

Also where is the Content Security Policy being declared? I don’t see any meta tag for it. Is this just default HTML 5 assumed settings via each browser?

Check Mitigate XSS Attacks with Content Security Policy

2 Likes

Thanks Falco. Rather than just shut off all protection is there a way I can whitelist data strings for just the adserver URL and allow those variables through. Or… just turn off the “‘unsafe-inline’ data” requirement?

I don’t see that option outlined in the article you linked unfortunately.

Thanks again.

Okay I guess I must be getting desperate, because I did try to shut off the CSP entirely…

And yet still the ad will not display in the main section of the site, only the footer where it’s installed in the theme in </body>. I did realize there is a <noscript> wrapper around the center section though and that footer one is outside the close of the </noscript> so maybe that is why?

I checked in Firefox and my console now shows no CSP warnings. Not sure why I was never seeing them in Chrome to start with.

Discourse is a Single Page Application and all the page markup is create client-side via our EmberJS application.

Using direct DOM manipulation like document.write is in direct conflict with the whole thing and has a really low change of “just working”.

I’d recommend trying to adapt you ads system to use our House Ads in the official Ad Plugin system. Maybe you can have a single ad in the house ads inventory, and use the page change hook to contact the ad server and replace the ad with the response? Or maybe your ad system can write to the House Ads inventory directly via API?

2 Likes

Thanks for the help Falco. A bit scary but the codebase for this adserver was written prior to the term API being created so… yeah I would be better off writing an entirely new adserver system from scratch. I just don’t have the time for that right now as I am deploying this new forum and 6+ new content sites as well.

I will play around with some alternate options to using document.write and see if that can work.

Cheers,
Jim

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.