Protocol agnostic CDN URLs are problematic

So one potential issue I’ve found was that I was using

//cdn-url.example.com

in my app.yml – changing it to

https://cdn-url.example.com

made things better, there are no errors now.

6 Likes

Yes, I had the same problem @itsbhanusharma. It’s too bad our default CSP policy doesn’t allow CDN URLs of the protocol agnostic form

//discourse.cdn.example.com

Is there some reason why we hard-coded this to https instead of being protocol agnostic @sam? Does CSP require https?

5 Likes

Protocol agnostic CDN is a bad practice, we should not be using that anywhere really.

10 Likes

Besides, CSP specification mandates the protocol scheme to start with a letter, which rules out the //; or to use no protocol at all (just the hostname, or none, or self, etc.) – which also works, but indeed the mix of HTTPS and HTTP already causes browsers (at least Firefox) to turn the green lock into a grey lock with an orange warning sign. No very user friendly.

2 Likes

Should we just silently convert a schemeless CDN to https on config file load?

3 Likes

mayyyyybe… I kind of prefer not to cause we will still be lumped with fixing all history with a remap anyway.

2 Likes

I think a rebuild should freak out if it sees a CDN beginning with // and return a console error advising the user that this is a bad practice, and refuse to progress.

3 Likes

Sure… why not

https://github.com/discourse/discourse_docker/commit/49bc616a963994715b02f792776acf1388314086

7 Likes