Stackpath (Formerly MaxCDN) - Invalid or Unexpected Token


(Drew Friestedt) #1

I’m trying to implement the Stackpath CDN (formerly MaxCDN)

The site is discuss.360velo.com. I’ve followed the CDN instructions.

I added
DISCOURSE_CDN_URL: https://b7f7x2b6.stackpathcdn.com and rebuilt the app.

The site does not load properly. Upon inspection, I’m getting an Uncaught Syntax Error: … Missing / and I get Invalid or Unexpected Token

Then I tried
DISCOURSE_CDN_URL: https://b7f7x2b6.stackpathcdn.com/ (I added the / at the end) and rebuilt the app.

Now I get the following error.

Refused to load the script 'https://b7f7x2b6.stackpathcdn.com/assets/browser-update-d924ff41586d6dcda055f0cfb41488724ba2e2d5271fef65ce5f480b46f9231d.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'report-sample' http://discuss.360velo.com/logs/ http://discuss.360velo.com/sidekiq/ http://discuss.360velo.com/mini-profiler-resources/ https://b7f7x2b6.stackpathcdn.com//assets/ https://b7f7x2b6.stackpathcdn.com//brotli_asset/ http://discuss.360velo.com/extra-locales/ https://b7f7x2b6.stackpathcdn.com//highlight-js/ https://b7f7x2b6.stackpathcdn.com//javascripts/ https://b7f7x2b6.stackpathcdn.com//plugins/ https://b7f7x2b6.stackpathcdn.com//theme-javascripts/ https://b7f7x2b6.stackpathcdn.com//svg-sprite/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

What am I missing?


(Michael Brown) #2

DISCOURSE_CDN_URL should not have a slash at the end. Can you go back to your first attempt and then we can investigate the place from where that error is coming?

(true, Discourse should handle the CDN URL whether a slash was appended or not)


(Drew Friestedt) #3

OK - thanks for looking into this.

I’ve changed back to
DISCOURSE_CDN_URL: https://b7f7x2b6.stackpathcdn.com
without the trailing slash.

here is the new error message
Uncaught SyntaxError: Invalid regular expression: missing /
Uncaught SyntaxError: Invalid or unexpected token


(Michael Brown) #4

OK, that’s better.

If we click on one of those we get binary data that indicates the browser doesn’t understand how to decode what’s being sent back:

If we look at the actual response headers from the CDN:

○ → curl -I https://b7f7x2b6.stackpathcdn.com/brotli_asset/locales/en-7198f510be5ac202c75f0bb40bbaa99b06947b8590d6ed10bb353c4108efc819.js
HTTP/1.1 200 OK
Date: Thu, 14 Mar 2019 15:49:54 GMT
Accept-Ranges: bytes
ETag: "1552576873"
Content-Type: application/javascript
Last-Modified: Thu, 14 Mar 2019 15:21:13 GMT
Access-Control-Allow-Origin: *
Server: nginx
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X-Discourse-Route: static/brotli_asset
Content-Transfer-Encoding: binary
Cache-Control: max-age=31556952, public, immutable
X-Request-Id: 08fe3ea9-569b-4eb8-9dc0-3a60ad2f13f3
X-Runtime: 0.009359
Strict-Transport-Security: max-age=31536000
X-HW: 1552578594.cds008.tr2.hn,1552578594.cds002.tr2.c
Connection: keep-alive
Content-Length: 66601

and compare it with the non-CDN response:

○ → curl -I https://discuss.360velo.com/brotli_asset/locales/en-7198f510be5ac202c75f0bb40bbaa99b06947b8590d6ed10bb353c4108efc819.js
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 14 Mar 2019 15:52:11 GMT
Content-Type: application/javascript
Content-Length: 66601
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
X-Discourse-Route: static/brotli_asset
Expires: Sat, 14 Mar 2020 15:52:11 GMT
Last-Modified: Thu, 14 Mar 2019 15:21:13 GMT
Content-Encoding: br
Content-Transfer-Encoding: binary
Cache-Control: max-age=31556952, public, immutable
X-Request-Id: 5b139520-2d13-4eb0-83ef-cafc83ba656f
X-Runtime: 0.003118
Strict-Transport-Security: max-age=31536000

You’ll note that the CDN has stripped the important header: Content-Encoding: br that tells the browser “this response is brotli-encoded”. So it can’t interpret it properly.

You’ll need to change your CDN configuration to not strip this header.


(Drew Friestedt) #5

awesome. let me work on that and report back.


(Drew Friestedt) #6

Thanks for the help. I had to submit a support ticket with StackPath and they enabled brotli compression. The site is working as expected.

thx


(Régis Hanol) closed #7