Update from 2.4.0.beta9 to 2.4.0.beta10 yields page with no content - Cloudflare Rocket Loader

I got email notification this morning of a one-click browser upgrade, which I took as usual. Upon completion and return to the forums, all I get is a blank page with the expected background and header image, but no other content.

Switching to /var/discourse and running ./launcher rebuild app runs as expected, but the forum site still has the same behavior (header image + background, no content)

Help?

If I view source, it looks like at least SOME of the content is there…it’s just not visible. No changes to them have been made between 2.4.0.beta9 and current build.

Do you have any errors in your browser console? (Right click, inspect element, then go to the console tab)

3 Likes

Yes:

Refused to load the script ‘https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js’ because it violates the following Content Security Policy directive: “script-src ‘report-sample’ https://forums.stillwellaudio.com/logs/ https://forums.stillwellaudio.com/sidekiq/ https://forums.stillwellaudio.com/mini-profiler-resources/ https://forums.stillwellaudio.com/assets/ https://forums.stillwellaudio.com/brotli_asset/ https://forums.stillwellaudio.com/extra-locales/ https://forums.stillwellaudio.com/highlight-js/ https://forums.stillwellaudio.com/javascripts/ https://forums.stillwellaudio.com/plugins/ https://forums.stillwellaudio.com/theme-javascripts/ https://forums.stillwellaudio.com/svg-sprite/ https://www.google-analytics.com/analytics.js”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

20The resource was preloaded using link preload but not used within a few seconds from the window’s load event. Please make sure it has an appropriate as value and it is preloaded intentionally.

Cloudflare’s javascript ‘optimisation’ regularly causes issues with Discourse sites. You should log into your cloudflare account and change the forum domain from an ‘orange cloud’ to a ‘grey cloud’.

6 Likes

That’s an easy fix, thanks. Kind of a bummer since it bypasses all of Cloudflare’s DDOS protection and IP address hiding, but changing it DID make it work. I’ll get with Cloudflare’s support to report the problem.

1 Like

I don’t think there’s much cloudflare can do automatically. There are instructions for allowing rocket loader in the CSP. However, Discourse’s javascript is already heavily optimised, so rocket loader is not required.

If you go into your cloudflare settings, it should be possible to disable rocket loader specifically. Then you can re-enable the proxy and the CSP errors should disappear.

For most users it is easier to disable cloudflare completely, but if you really need the DDOS protection, you can set it up using the instructions here: Full site CDN acceleration for Discourse

5 Likes

Confirmed: disabling Rocket Loader and re-enabling Proxy appears to work as well. That’s a good compromise, thanks!

3 Likes

To be clear you don’t have to turn off the orange cloud, you can also leave it on with a page rule to “disable performance” for the entire site.

Their DDOS protection isn’t tied to the optimization features.

That said, leaving the cloud on slows down every request - so unless you really need DDOS protection or want to use their CDN it’s better left disabled.

5 Likes

I use Argo smart routing and other performance features of Cloudflare, and as a general rule it DOES improve performance noticeably…primarily for the main website on that domain rather than the forum, but the main website is what allows people to buy my products…faster is better. Anyway, turning off that one particular optimization (Rocket Loader) allows Discourse to function behind the proxy, and that’s a decent compromise. Thanks!

3 Likes

Similar issue after upgrade to 2.4.0 beta 10

I do have https://www and https:// version (without www).

https://www-version works just fine.

https://-version becomes blank in Chrome and Safari with lotsa errors in Console.

Refused to load the script ‘’ because it violates the following Content Security Policy directive: “script-src ‘report-sample’ ”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

Refused to load the script ‘https://dastereo.ru/assets/locales/ru-2fae24b4e1db72deb2076bee15794ed9e0a6814a5bf52d778e29c106812aaa6c.js’ because it violates the following Content Security Policy directive: “script-src ‘report-sample’ https://www.dastereo.ru/logs/ https://www.dastereo.ru/sidekiq/ https://www.dastereo.ru/mini-profiler-resources/ https://www.dastereo.ru/assets/ https://www.dastereo.ru/brotli_asset/ https://www.dastereo.ru/extra-locales/ https://www.dastereo.ru/highlight-js/ https://www.dastereo.ru/javascripts/ https://www.dastereo.ru/plugins/ https://www.dastereo.ru/theme-javascripts/ https://www.dastereo.ru/svg-sprite/ https://www.google-analytics.com/analytics.js”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback

Is there easy fix?

Running a site on two domains simultaneously is not supported. You could fix this particular error by disabling Content Security Policy, but I would not recommend it.

The best thing would be to redirect one of the domains to the other.

3 Likes

Do you use Cloudflare as well? If so, you can use two page rules to redirect from:

http://example.com/* :arrow_right: https://example.com/$1
https://example.com/* :arrow_right: https://www.example.com/$1

1 Like