Content-Security-Policy now uses 'strict-dynamic'

From v3.3.0.beta1, Discourse implements a ‘strict-dynamic’ Content Security Policy (CSP). This will eliminate the need for manual CSP config, and will greatly improve compatibility with external tooling like tag-managers and advertising.

As a site administrator, you don’t need to do anything. The change will take effect automatically, and any external scripts you’re using will keep working.

No changes are required for themes. A small number of plugins [1] may need a small tweak for compatibility with this change (e.g. 1, 2).

Forums which previously disabled CSP for compatibility with external scripts should now be able to re-enable it without any issues or configuration effort.

For the technical details, check out this topic:

For now, it is still possible to switch back to the old system by disabling the ‘content security policy strict dynamic’ site setting. If you have any reason to do this, please let us know! As it stands, we intend to drop support for the old mode in v3.3.0.beta2.

  1. technically: those which introduce <script> elements via register_html_builder or an erb template ↩︎