Theme component invalid “extend content security policy” value

Symptoms: after update to 3.4 the entire forum gave “Oops”. To make things worse, the logs stayed completely silent about this.

There was a theme component with “extend security policy” with value script-src: 'unsafe-eval' https://redacted.example.com

This crashed the entire forum because of an exception thrown in the action dispatcher, because there was a space in the value.

ActionDispatch::ContentSecurityPolicy::InvalidDirectiveError (Invalid Content Security Policy script-src: \"'unsafe-eval' https://redacted.example.com\". Directive values must not contain whitespace
 or semicolons. Please use multiple arguments or other directive methods instead.)

Oh I forgot the most important thing. Safe mode did not work!!

I will look into this further and get back to you. What was the Discourse version of your forum before the upgrade to 3.4?

It was on 3.3.3.

Hey @michaeld, I’ve merged in a fix onto the latest main with FIX: invalid CSP directive sources should allow site to boot with valid CSP directives by tyb-talks · Pull Request #31256 · discourse/discourse · GitHub. This is also available in tests-passed and stable now.

This change in behaviour in handling CSP directives stemmed from a backported security patch in Rails - I touch on this in more detail in the PR. Discourse will now filter out such values before building the CSP.

Regarding Safe mode, as it only disables the JavaScript side of things, it wouldn’t have helped here since this data is processed server-side.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.