今朝、ワンクリックでブラウザをアップグレードするというメール通知が届き、いつもの通り実行しました。完了後、フォーラムに戻ると、期待通りの背景とヘッダー画像が表示されるものの、他のコンテンツは一切表示されない空白のページが表示されるだけです。
/var/discourse に移動して ./launcher rebuild app を実行すると、期待通りに動作しますが、フォーラムサイトは依然として同じ動作(ヘッダー画像と背景は表示されるがコンテンツは表示されない)を示します。
お手伝いいただけませんか?
If I view source, it looks like at least SOME of the content is there…it’s just not visible. No changes to them have been made between 2.4.0.beta9 and current build.
Do you have any errors in your browser console? (Right click, inspect element, then go to the console tab)
Yes:
Refused to load the script ‘https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js’ because it violates the following Content Security Policy directive: “script-src ‘report-sample’ https://forums.stillwellaudio.com/logs/ https://forums.stillwellaudio.com/sidekiq/ https://forums.stillwellaudio.com/mini-profiler-resources/ https://forums.stillwellaudio.com/assets/ https://forums.stillwellaudio.com/brotli_asset/ https://forums.stillwellaudio.com/extra-locales/ https://forums.stillwellaudio.com/highlight-js/ https://forums.stillwellaudio.com/javascripts/ https://forums.stillwellaudio.com/plugins/ https://forums.stillwellaudio.com/theme-javascripts/ https://forums.stillwellaudio.com/svg-sprite/ https://www.google-analytics.com/analytics.js”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.
20The resource was preloaded using link preload but not used within a few seconds from the window’s load event. Please make sure it has an appropriate as value and it is preloaded intentionally.
Cloudflare’s javascript ‘optimisation’ regularly causes issues with Discourse sites. You should log into your cloudflare account and change the forum domain from an ‘orange cloud’ to a ‘grey cloud’.
That’s an easy fix, thanks. Kind of a bummer since it bypasses all of Cloudflare’s DDOS protection and IP address hiding, but changing it DID make it work. I’ll get with Cloudflare’s support to report the problem.
I don’t think there’s much cloudflare can do automatically. There are instructions for allowing rocket loader in the CSP. However, Discourse’s javascript is already heavily optimised, so rocket loader is not required.
If you go into your cloudflare settings, it should be possible to disable rocket loader specifically. Then you can re-enable the proxy and the CSP errors should disappear.
For most users it is easier to disable cloudflare completely, but if you really need the DDOS protection, you can set it up using the instructions here: Full site CDN acceleration for Discourse
Confirmed: disabling Rocket Loader and re-enabling Proxy appears to work as well. That’s a good compromise, thanks!
To be clear you don’t have to turn off the orange cloud, you can also leave it on with a page rule to “disable performance” for the entire site.
Their DDOS protection isn’t tied to the optimization features.
That said, leaving the cloud on slows down every request - so unless you really need DDOS protection or want to use their CDN it’s better left disabled.
I use Argo smart routing and other performance features of Cloudflare, and as a general rule it DOES improve performance noticeably…primarily for the main website on that domain rather than the forum, but the main website is what allows people to buy my products…faster is better. Anyway, turning off that one particular optimization (Rocket Loader) allows Discourse to function behind the proxy, and that’s a decent compromise. Thanks!
Similar issue after upgrade to 2.4.0 beta 10
I do have https://www and https:// version (without www).
https://www-version works just fine.
https://-version becomes blank in Chrome and Safari with lotsa errors in Console.
Refused to load the script ‘’ because it violates the following Content Security Policy directive: “script-src ‘report-sample’ ”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.
Refused to load the script ‘https://dastereo.ru/assets/locales/ru-2fae24b4e1db72deb2076bee15794ed9e0a6814a5bf52d778e29c106812aaa6c.js’ because it violates the following Content Security Policy directive: “script-src ‘report-sample’ https://www.dastereo.ru/logs/ https://www.dastereo.ru/sidekiq/ https://www.dastereo.ru/mini-profiler-resources/ https://www.dastereo.ru/assets/ https://www.dastereo.ru/brotli_asset/ https://www.dastereo.ru/extra-locales/ https://www.dastereo.ru/highlight-js/ https://www.dastereo.ru/javascripts/ https://www.dastereo.ru/plugins/ https://www.dastereo.ru/theme-javascripts/ https://www.dastereo.ru/svg-sprite/ https://www.google-analytics.com/analytics.js”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback
Is there easy fix?
Running a site on two domains simultaneously is not supported. You could fix this particular error by disabling Content Security Policy, but I would not recommend it.
The best thing would be to redirect one of the domains to the other.
Do you use Cloudflare as well? If so, you can use two page rules to redirect from:
http://example.com/* 
https://example.com/$1
https://example.com/* https://www.example.com/$1