im facing issue to install pure chat script in my forum , because discourse enable whilelist filter for security protect . I tried to add few pure chat link into whitelist but still cannot show out the pure chat conversation tab , kindly assist , here is the error message :
legacy.111147.js:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive:
at new Function (<anonymous>)
at Function.b.template (legacy.111147.js:1)
at Module.<anonymous> (legacy.111147.js:32)
at n (legacy.111147.js:1)
at Object.<anonymous> (legacy.111147.js:32)
at n (legacy.111147.js:1)
at legacy.111147.js:1
at legacy.111147.js:1
anyone know how to settle this issue ? if i unable CSP the script will working fine . but how to enable CSP and working on it too ?
Full disclosure - I do not consider myself a CSP guru!
With that said, I think there are scenarios where it would be ideal to whitelist the domain, and other scenarios where it’s better to target the individual scripts. I’m pretty sure it depends on how many scripts you find you need to whitelist, whether you trust the source, etc. I’ll add a note to the guide that mentions that you can use the domain as a cover-all if needed.
The settings in the provided screenshots definitely were a little overkill, but I imagine that was just an attempt to cover everything since nothing was working.
I just tried adding Pure Chat to my test site as an experiment. I could get it working on Chrome using a hash, but it wasn’t enough for Safari and Firefox. I ran it by Penar and this does appear to be one of those unfortunate situations that will requrire 'unsafe-inline' as mentioned in:
@BishopV I think your only option if you choose to stay with Pure Chat is to remove all of the entries you have in that setting and add 'unsafe-inline' at the cost of security.