How to fix problem with CSP

Support
1

Hello! I’m have problem with CSP, how to fix this?

screen
screen1210×58 7.99 KB 

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://mydomain.com/logs/ https://mydomain.com/sidekiq/ https://mydomain.com/mini-profiler-resources/ https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/extra-locales/ https://mydomain.com/highlight-js/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/ https://mydomain.com/theme-javascripts/ https://mydomain.com/svg-sprite/ https://mydomain.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ScCk7JwXKy22dTO0VFM7aV1chV+yd/MUda4X6VnGans='), or a nonce ('nonce-...') is required to enable inline execution.

For the test, I went into a safe mode, in safe mode there is the same problem.

1 Like
2

It’s not my forte, but I’ve had a search and you may need to rewrite the inline script you’re trying to use:

2 Likes
3

I don’t want to disable CSP protection and I don’t have external scripts, I tried to disable all the plugins and the components of the topic, it didn’t help.

I try add all this link to content security policy script src in the admin setting, problem was safe :frowning:

https://mydomain.com/logs/ https://mydomain.com/sidekiq/ https://mydomain.com/mini-profiler-resources/ https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/extra-locales/ https://mydomain.com/highlight-js/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/ https://mydomain.com/theme-javascripts/ https://mydomain.com/svg-sprite/ https://mydomain.com`

1 Like
4

You need to share your site URL for we to be able to help you.

3 Likes
5

I can send it to you’re PM?

6

Hm…

It seems I found the reason, it seems that the problem occurs because I use the meta tag CSP in my theme:

<meta http-equiv="Content-Security-Policy" content="img-src https://imgur.com https://giphy.com">

I need to use the img-src directive to limit the display of images from prohibited hosts.

7

Oh that CSP directive will indeed break Discourse completely.

2 Likes
8

How I can change the default CSP directives in header, to added img-src without use meta tag? I’m try this in Rails, but nothing change:

Rails.application.config.action_dispatch.default_headers.merge!({'Content-Security-Policy' => "upgrade-insecure-requests; base-uri 'self'; object-src 'none'; script-src https://mydomain.com/logs/ https://mydomain.com/sidekiq/ https://mydomain.com/mini-profiler-resources/ https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/extra-locales/ https://mydomain.com/highlight-js/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/ https://mydomain.com/theme-javascripts/ https://mydomain.com/svg-sprite/; worker-src 'self' https://mydomain.com/assets/ https://mydomain.com/brotli_asset/ https://mydomain.com/javascripts/ https://mydomain.com/plugins/; frame-ancestors 'self'; manifest-src 'self'; img-src data: https://mydomain.com https://imgur.com"})
9

I’m delete this meta tag, bebuild and problem was safe :frowning: