CSP problems: Incomplete CSP (requires: default-src)

The default CSP doesn’t use certain things that should be set - default-src should be “self”, the URL, and the CDNs if configured. This is done for script bits, but default-src not being set but other CSP items being set will error for connecting to CDN, etc. in some cases because of the chaos.

This was discovered when configuring things on a test instance and debugging a Discourse instance now on a MinIO object storage and CDN system from StackPath.

There is no way to alter this, it seems, so there may need new things to configure CSP with certain default-src items. Otherwise, the CSP works as expected.

(Chrome has this issue, Firefox in some cases, but mostly Chrome)

1 Like