As promised, this feature was just enabled by default: CSP Frame Ancestors enabled by default
10 לייקים
Hello,
I am currently setting up Google Adsense on my website and seems I am missing the “Enable CSP violation report collection at /csp_reports” settings… I am currently self-hosting Discourse on version 2.9.0.beta6
above, in quote, a screenshot of the setting I am missing
above, my setting page for CSP with the “Enable CSP violation report collection at /csp_reports” missing.
Any help is appreciated ! And please tell me if I set-up the settings I have correctly for Adsense, I never used it before 
!
3 לייקים
Apologies, my earlier replies here are outdated because as of ~ a month ago we made content_security_policy_collect_reports a hidden setting. You can still enable it but you need to do it via the Rails console, as in:
./launcher enter app
...
rails c
...
SiteSetting.content_security_policy_collect_reports = true
Note that this is very noisy, I highly recommend not going down this route at all and simply enabling CSP and navigating the site with the browser console open using multiple browsers (Chrome, Firefox, Safari). You’ll find most issues that way. And with the configuration you have, you’re basically allowing almost all that CSP protects against anyway, so you shouldn’t have any need for the reports.
6 לייקים
Maybe I am missing something, but I do not see these settings in the settings UI.
content_security_policycontent_security_policy_report_only-
content_security_policy_collect_reports(I see that is hidden now) content_security_policy_script_src
Are these options available to hosted instances? I didn’t see any mention of that being a limitation in the original post or comments.
Edit: Also attempted to set the security policy through a theme.
Does not seem to be working as instructed in original post.
I’m assuming the hosted plan I’m on doesn’t allow this, even when done via a theme or theme component?
Or maybe I am just doing something totally wrong.
לייק 1
Currently, Discourse ships a CSP Level 2 policy with the following directives by default:
base-urirestricts the URLs for<base>element
Is there any option to override the default value for the base-uri header?
לייק 1
Where are <base> elements actually used in discourse?
Would that break Discourse push notifications?
Could be. Might need a more suitable setting.
לייק 1
A post was split to a new topic: What’s the suggested method to use secure images?
Hi there,
May I know how to bypass the issue below? I have added the script invoking a new Function() expression into content_security_policy_script_src, but my browser console still complains below error. Where I can exclude the unsafe-eval? Thanks!
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:
לייק 1
Apologies. Please ignore my previous post if my below remarks are correct. Just know through above posts I can set ‘unsafe-eval’ directly to content_security_policy_script_src, and there’s no JS error reported in console any more.
לייק 1
Maybe have a look at the content security policy script src site setting?
לייק 1
Yes. As said in previous replies ‘unsafe-eval’ can be added directly to content_security_policy_script_src, I thought only URL base or full URL allowed to add.
לייק 1