I’m running a self-hosted instance of Discourse at forum.embeetle.com. It has been running well for multiple years now.
This morning, I noticed that all keyboard and mouse interaction with the forum in the browser stopped working. I can load any page from the forum, but I cannot scroll, login, search, …
I tried both Firefox and Chromium: same issue.
Firefox developer tools show this error:
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). forum.embeetle.com:362:10
I did not recently do any updates or install any new plugins.
Any suggestions on how I can debug and fix this?
AFAIK, I have a standard docker-based installation, except that I am running it behind an Nginx reverse proxy. Nginx config below (not sure it is relevant):
I don’t remember ever setting a theme by default, but maybe I did and forgot about it.
I’d like to temporarily disable themes by default, so that our forum is usable while we figure out what is wrong with themes. How can I do that, if I can only access the admin pages with themes disabled? In safe mode, all themes are already disabled, and enabling and then re-disabling them seems to have no effect.
There are three themes available (see below). None of them is enabled by default.
Strange, for me in Safari, it’s reporting that it refuses to execute line 315. Which is the inline script for the Discourse-spash preloader. So not theme related.
For an immediate fix, you could disable CSP using a site-setting:
Just speculating: If the issue than still persists, it might be your server environment sending something unexpected. Or another script interfering (are you running any custom plugins or other scripts?)
Note that that will leave you in a vulnerable state and should be remedied ASAP. But at least your forum is working again.
To allow further exploration of this issue, I have also duplicated the forum server without the rewrite at https://raw.forum.embeetle.com. If you visit that URL, you will still see the original issue.
I am not using any custom scripts. I am using some plugins, will experiment if disabling any of them has any effect.
Found it: it was indeed an issue with my nginx configuration that now accidentally emitted a Content-Security-Policy header that is too strict for Discourse.
Removing the Content-Security-Policy fixed my issue.