Upgrade to 2.4.0.beta9 causing CSP issues

Hi,

I have upgraded from 2.4.0.beta8 to 2.4.0.beta9 using the Admin console. There are now 44 console errors when loading the landing page of the format;

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'report-sample' <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL> <URL>". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

discourse-doctor shows no obvious red flags and neither cleanup app nor rebuild app have helped.

Any suggestions? Thanks in advance!

1 Like

Just to add a little more detail, as I see there are topics related to Cloudflare, the scripts that are in violation are all in either,

https://<your_site>/assets/

or

https://<your_site>/mini-profiler-resources/

1 Like

Having followed the same steps as described at Site is not loading cause of CSP, the site now loads. Not a solution, just a workaround.

The only other details I have found with respect to the site are,

  1. it is using a DNS A record to redirect from the original installation URL, and
  2. the first URL in the console error following ‘report_sample’ is truncated at different points in each message.

Any suggestions, still welcome :slight_smile:

2 Likes

Are you hosted on a custom public port?

1 Like

Change in /admin/site_settings/category/security

to => content security policy - Enable Content-Security-Policy = false

That makes your site vulnerable. Not recommended.

Had the issue and simply had to whitelist my sources in /admin/site_settings/category/security under content security policy script src to get rid of the errors.

1 Like

Having this same issue, I can’t get to /admin/site_settings/category/security

is there a SafeMode

Even safe mode throws this error, even after checking all 3 options.

I was able to fix this by going into the rails console and disabling CSP then manually adding all my sources to the list then re-enabling CSP.

Had some issues with inline google ads stuff too (using the official ad plugin) still had to enable unsafe-inline csp