Okay… still on my quest to get my adserver to display on Discourse. I ran across this mystery that I can’t figure out. Using the theme editing feature I have added my script request to both </body> and ‘footer’. If added to the footer (or ‘after header’) the code fails. Even though in inspection mo…

Discourse is a Single Page Application and all the page markup is create client-side via our EmberJS application. Using direct DOM manipulation like document.write is in direct conflict with the whole thing and has a really low change of “just working”. I’d recommend trying to adapt you ads system…

Hopefully a developer will see this one. :slight_smile:

Can I ask that a moderator put this in support or whatever category makes sense. I left it uncategorized. Thanks. And sorry to be such a nudge on this but I am coming up on a deployment deadline and I really need to figure this issue out.

Okay so I noted that the CSP log was showing the Google ads script was being blocked so I added https://pagead2.googlesyndication.com to the CSP script src list and then my Google Adsense ads started appearing (kind of surprised you still have to do that even with the Adsense plugin installed). Th…

So… this is all CSP related (I assume) because the site is set to ‘unsafe-inline’ data and I am trying to pull my adserver script with a URL with variables. I know… how barbaric of me. So… ANYONE? Is there a simple fix for this or should I just give up?

The proper fix is to not use inline and rewrite it to hook into existing EmberJS templates outlets. If you are looking into a band-aid fix, you can disable CSP in the site settings while you work into making the changes to your custom ads solution. Just be aware that may expose you to XSS. You can …

Also where is the Content Security Policy being declared? I don’t see any meta tag for it. Is this just default HTML 5 assumed settings via each browser?

[imagen] Jim_Starkweather: Also where is the Content Security Policy being declared? Check Mitigate XSS Attacks with Content Security Policy

Thanks Falco. Rather than just shut off all protection is there a way I can whitelist data strings for just the adserver URL and allow those variables through. Or… just turn off the “‘unsafe-inline’ data” requirement? I don’t see that option outlined in the article you linked unfortunately. Thanks…

Okay I guess I must be getting desperate, because I did try to shut off the CSP entirely… [image] And yet still the ad will not display in the main section of the site, only the footer where it’s installed in the theme in </body>. I did realize there is a <noscript> wrapper around the center sect…

Thanks for the help Falco. A bit scary but the codebase for this adserver was written prior to the term API being created so… yeah I would be better off writing an entirely new adserver system from scratch. I just don’t have the time for that right now as I am deploying this new forum and 6+ new con…

Confundido sobre el contenido de javascript cargado remotamente

Soporte

Falco (Falco) 7 Diciembre, 2020 20:06 8

Consulta Mitigar ataques XSS con la Política de Seguridad de Contenidos

Tema		Respuestas	Vistas
We couldn't find the code on your site Support advertising	9	2373	18 Octubre 2022
"Refused to load the script" when adding adsense Support	3	1469	10 Marzo 2019
Google Ads Not Displaying Support	11	1327	24 Enero 2023
Adsense CSP Support advertising	0	167	14 Junio 2024
Google Ads not showing Support	9	622	7 Julio 2023

Confundido sobre el contenido de javascript cargado remotamente

Temas relacionados