Hello everyone, after following the guide for discourse here (https://github.com/discourse/discourse/blob/master/docs/INSTALL-cloud.md) I seem to run into an error that I cannot find anything on, When I connect to discourse to register my admin account and get to the wizard I type in my info, get an email and if I click on the link in the email I get to a page with a single button that says “Click here to activate your account”, but when clicking this button nothing happens, the errors I have in chromes console are as such
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'report-sample' <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL>". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
A quick update, I installed a browser extension to disable CSP and discourse works, I was able to get through the setup wizard and get everything setup but as soon as I turn off the extension I get the infamous “white page of death”, is there anyway to disable CSP for discourse?
Also just to confirm you are not doing anything wacky like putting your site behind cloudflare, are you? If you are, disable it immediately and try again.
I cannot reproduce this. I tried on three separate environments:
a fresh install on DigitalOcean (after clicking on “Click here to activate your account”, I see the wizard loading, no console errors)
an install on DigitalOcean from a few days ago, I tested by signing up as a new user and activating the account, again no issues
an existing, active Discourse site, signed up as a new user, and activation process again worked without errors
@Airwarfare I’m also a little confused by the error message in your original post. Do you see literally <URL> <URL> <URL> ... in the Chrome console, or did you replace your site’s domain with a <URL> yourself when pasting the console error? Because if the actual output in Chrome console is <URL><URL>... then you’ve got a misconfigured site, the CSP policy should include several valid URLs.
I didn’t change the error that is exactly what I see in the chrome console, as for the site being misconfigured I am a bit confused, I bought a domain from GoDaddy and then a droplet from DigitalOcean, I am currently looking into changing the nginx config to try and fix the problem
I currently have DISCOURSE_HOSTNAME: forums.mydomain.org where “mydomain” is the name of the domain I bought off of GoDaddy, and that is formatted exactly as I see it in the app.yml
The domain has an A record pointing the ip of the box and a TXT record for sparkpost’s email service, I have been typing in my domain name to get to the site but now that you mention it whenever I type in the domain once the site loads I see the ip in the url bar of chrome if that has anything of importance
That’s the issue. CSP only allows scripts to run on the configured domain, not the IP. You need to figure out why the domain is redirecting to the IP, you definitely don’t want that.
I just did a test on a DO instance and I could reproduce the original issue: I changed the hostname in my app.yml from my test domain name to the instance’s IP, rebuilt the container, and tried loading the site using the domain name, and I got the same error as you (white screen with the CSP error logs).
I changed the configuration on my domain so now when I go to the address I see the domain instead of the ip but I still have CSP errors in the chrome console, the domain I have setup in discourse is forums.mydomain.com the domain I see in chrome is www.forums.mydomain.com, when setting up discourse do I need to include the www?
Yup, Had a minor typo in the domain that I caught, everything is working now! no more CSP errors, thanks a lot I really appreciate your help and support!