According to previous posts in this forum, it should be possible to insert custom Javascript code into the or fields of the default theme, but whenever I try to do so, I get a popup saying “403 error”. Given that I am the admin but not a developer, how can I add my one line of custom Javascript?
2 Likes
You may have no permission to using the scripts resources by some Referrer-Policy, make sure it’s public access or others right permission.
I’m experiencing the same problem. Did you manage to fix it, @Judith ?
Even a test with <script></script> gives me a 403, so I’m not sure whether it’s a Referrer-Policy issue?
Unfortunately not 
Could you give us some more details about what you’re trying to add and where? That might rustle up a few more community responses?
1 Like
It fails at any level. I went to Default Theme > Edit CSS/HTML > Common > Header and as an experiment I tried to add
<script>
alert("Test");
</script>
and even that fails with a popup saying “403 error”, so I didn’t even try to do anything more fancy.
I have an installation on DigitalOcean exactly according to the textbook and updated to the latest version. Is it necessary to change anything about the standard installation in order to be able to use Javascript?
Let's tuck this away as I don't think it's useful after all...
Could you try adding it as a custom theme component instead?
Quick how-to:
- Go to
/admin/customize/themes - Click on install and then create new
- Give it a name, and select ‘component’.
- Create
- Add it to your theme
- Click on the Edit CSS/HTML button and make your changes there
And save. 
Though I’ve also tested it in my default theme header too, and that has worked. So there may be something unusual about your setup. Does it work when you try to trigger it in safe mode?
Hang on, this sounds familiar. Do you have any browser extensions you can turn off? (or try in a private window) And is there more detail on the errors in the console?
Do you have any kind of Web Application Firewall in front of Discourse (eg. CloudFlare or AWS WAF)? It might be detecting it as a Cross-Site Scripting attack.
How about Head not Header?
2 Likes
This error was not happening just a week ago on a test Discourse instance I have and is happening this week.
I tried all possible locations but to be honest, JS belongs just before the closing body tag not into the head, so that is where I would like it to go (and, that is what worked just last week)
It just pops up a 403 error modal, that’s it.
I made sure this is not due to components or theme… but not sure if it is due to some setting I inadvertently changed?