CSP error when adding a script via a theme component

Issue with Strict Dynamic and CSP on Atlassian Widget

I am encountering an issue with Content Security Policy (CSP) after updating to v3.3.0.beta1. Specifically, I’m trying to embed an Atlassian widget in the header of my container, which was created before this update.

Here’s what I’ve added to the header:

<script data-jsd-embedded nonce="{{content_security_policy_nonce}}" data-key="bla" data-base-url="https://jsd-widget.atlassian.com" src="https://jsd-widget.atlassian.com/assets/embed.js"></script>

I’ve ensured to include the nonce, but I’m running into the following errors:

embed.js:1 Refused to set the document's base URI to 'https://jsd-widget.atlassian.com/' because it violates the following Content Security Policy directive: "base-uri 'self'".

embed.js:1 Refused to load the script 'https://jsd-widget.atlassian.com/assets/iframe.js' because it violates the following Content Security Policy directive: "script-src 'nonce-YAnMdLzmoWqLis3WXiQKjxdHk' 'strict-dynamic'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Additionally, I came across a suggestion in an earlier post to dynamically load the script like this:

javascript

var s = document.createElement('script');
s.src = "https://jsd-widget.atlassian.com/assets/embed.js";
document.body.appendChild(s);

However, this doesn’t seem to resolve the issue. I’m clearly missing something about how strict-dynamic is supposed to work in this context.

Can someone help me understand why these errors are occurring and how I might resolve them? Any guidance would be appreciated!

Funnily enough I was just looking at an almost identical issue.

I can repro a similar issue on latest that was recently rebuilt

I’m getting:

[Report Only] Refused to load the script 'https://www.mytestsite.com/mini-profiler-resources/includes.js?v=116e2a6fd81c286e004e2a0afb03baa1' because it violates the following Content Security Policy directive: "script-src 'nonce-ZSPIEwDBo6e07GuQMDkOFZerD' 'strict-dynamic'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Can either of you share a link to a site showing this issue? Happy to take a quick look

If you’ve added this via a theme components, then you should remove the nonce= part. Discourse will add it automatically (and I think adding it yourself may break the automatic system)

Closing the loop on this - @merefield and I discussed via PM, and tracked it down to a report-only-specific issue. Fix here: FIX: Mini-profiler CSP nonce when in report-only mode by davidtaylorhq · Pull Request #28664 · discourse/discourse · GitHub

So it looks like this is a different issue to the one @devops1 is seeing

Hi David Thanks so much.
For the quick response

The code I am adding is
<script data-jsd-embedded data-key="bla" data-base-url="https://jsd-widget.atlassian.com" src="https://jsd-widget.atlassian.com/assets/embed.js"></script>

I removed the nonce as requested.

This is the site https://onlinecommunity.stroke.org.uk/
I have turned on content security policy report only

Is the theme component enabled? I don’t see any atlassian script when I check in dev-tools

I think that should work now I found the script in the page source.

It looks like the embed.js script is running successfully, so the Discourse side of things is working.

However, it is then trying to create a same-origin iframe, which includes ‘parser-inserted’ script tags. That kind of strategy is not compatible with a strict-dynamic CSP.

So I think this is something which atlassian would need to fix. I came across this issue on their tracker which seems relevant (although doesn’t have much detail, or a resolution )

Thanks so much for looking into the issue for me David.