I got email notification this morning of a one-click browser upgrade, which I took as usual. Upon completion and return to the forums, all I get is a blank page with the expected background and header image, but no other content.
Switching to /var/discourse and running ./launcher rebuild app runs as expected, but the forum site still has the same behavior (header image + background, no content)
Help?
If I view source, it looks like at least SOME of the content is thereâŚitâs just not visible. No changes to them have been made between 2.4.0.beta9 and current build.
Do you have any errors in your browser console? (Right click, inspect element, then go to the console tab)
Yes:
Refused to load the script âhttps://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.jsâ because it violates the following Content Security Policy directive: âscript-src âreport-sampleâ https://forums.stillwellaudio.com/logs/ https://forums.stillwellaudio.com/sidekiq/ https://forums.stillwellaudio.com/mini-profiler-resources/ https://forums.stillwellaudio.com/assets/ https://forums.stillwellaudio.com/brotli_asset/ https://forums.stillwellaudio.com/extra-locales/ https://forums.stillwellaudio.com/highlight-js/ https://forums.stillwellaudio.com/javascripts/ https://forums.stillwellaudio.com/plugins/ https://forums.stillwellaudio.com/theme-javascripts/ https://forums.stillwellaudio.com/svg-sprite/ https://www.google-analytics.com/analytics.jsâ. Note that âscript-src-elemâ was not explicitly set, so âscript-srcâ is used as a fallback.
20The resource was preloaded using link preload but not used within a few seconds from the windowâs load event. Please make sure it has an appropriate as value and it is preloaded intentionally.
Cloudflareâs javascript âoptimisationâ regularly causes issues with Discourse sites. You should log into your cloudflare account and change the forum domain from an âorange cloudâ to a âgrey cloudâ.
Thatâs an easy fix, thanks. Kind of a bummer since it bypasses all of Cloudflareâs DDOS protection and IP address hiding, but changing it DID make it work. Iâll get with Cloudflareâs support to report the problem.
I donât think thereâs much cloudflare can do automatically. There are instructions for allowing rocket loader in the CSP. However, Discourseâs javascript is already heavily optimised, so rocket loader is not required.
If you go into your cloudflare settings, it should be possible to disable rocket loader specifically. Then you can re-enable the proxy and the CSP errors should disappear.
For most users it is easier to disable cloudflare completely, but if you really need the DDOS protection, you can set it up using the instructions here: Full site CDN acceleration for Discourse
Confirmed: disabling Rocket Loader and re-enabling Proxy appears to work as well. Thatâs a good compromise, thanks!
To be clear you donât have to turn off the orange cloud, you can also leave it on with a page rule to âdisable performanceâ for the entire site.
Their DDOS protection isnât tied to the optimization features.
That said, leaving the cloud on slows down every request - so unless you really need DDOS protection or want to use their CDN itâs better left disabled.
I use Argo smart routing and other performance features of Cloudflare, and as a general rule it DOES improve performance noticeablyâŚprimarily for the main website on that domain rather than the forum, but the main website is what allows people to buy my productsâŚfaster is better. Anyway, turning off that one particular optimization (Rocket Loader) allows Discourse to function behind the proxy, and thatâs a decent compromise. Thanks!
Similar issue after upgrade to 2.4.0 beta 10
I do have https://www and https:// version (without www).
https://www-version works just fine.
https://-version becomes blank in Chrome and Safari with lotsa errors in Console.
Refused to load the script ââ because it violates the following Content Security Policy directive: âscript-src âreport-sampleâ â. Note that âscript-src-elemâ was not explicitly set, so âscript-srcâ is used as a fallback.
Refused to load the script âhttps://dastereo.ru/assets/locales/ru-2fae24b4e1db72deb2076bee15794ed9e0a6814a5bf52d778e29c106812aaa6c.jsâ because it violates the following Content Security Policy directive: âscript-src âreport-sampleâ https://www.dastereo.ru/logs/ https://www.dastereo.ru/sidekiq/ https://www.dastereo.ru/mini-profiler-resources/ https://www.dastereo.ru/assets/ https://www.dastereo.ru/brotli_asset/ https://www.dastereo.ru/extra-locales/ https://www.dastereo.ru/highlight-js/ https://www.dastereo.ru/javascripts/ https://www.dastereo.ru/plugins/ https://www.dastereo.ru/theme-javascripts/ https://www.dastereo.ru/svg-sprite/ https://www.google-analytics.com/analytics.jsâ. Note that âscript-src-elemâ was not explicitly set, so âscript-srcâ is used as a fallback
Is there easy fix?
Running a site on two domains simultaneously is not supported. You could fix this particular error by disabling Content Security Policy, but I would not recommend it.
The best thing would be to redirect one of the domains to the other.
Do you use Cloudflare as well? If so, you can use two page rules to redirect from:
http://example.com/* 
https://example.com/$1
https://example.com/* https://www.example.com/$1