When install html script facing issue?

im facing issue to install pure chat script in my forum , because discourse enable whilelist filter for security protect . I tried to add few pure chat link into whitelist but still cannot show out the pure chat conversation tab , kindly assist , here is the error message :

legacy.111147.js:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive:

at new Function (<anonymous>)
at Function.b.template (legacy.111147.js:1)
at Module.<anonymous> (legacy.111147.js:32)
at n (legacy.111147.js:1)
at Object.<anonymous> (legacy.111147.js:32)
at n (legacy.111147.js:1)
at legacy.111147.js:1
at legacy.111147.js:1

anyone know how to settle this issue ? if i unable CSP the script will working fine . but how to enable CSP and working on it too ?

1 Like

Add your script source to setting content security policy script src.

i added those error link when i saw from console tab :slight_smile:

but still cannot working fine

1 Like

You are using the feature incorrectly, you only need to whitelist the domain not every single individual URL.

Perhaps the copy needs to be improved here @tshenry?

2 Likes

thanks for assist , i will try to amend agian.

1 Like

but still the issue there , the purechat script cannot showing out , if i enable CSP . even thought i added 2 new link. Screen Shot 2020-04-20 at 11.30.21 PM

1 Like

Full disclosure - I do not consider myself a CSP guru!

With that said, I think there are scenarios where it would be ideal to whitelist the domain, and other scenarios where it’s better to target the individual scripts. I’m pretty sure it depends on how many scripts you find you need to whitelist, whether you trust the source, etc. I’ll add a note to the guide that mentions that you can use the domain as a cover-all if needed.

The settings in the provided screenshots definitely were a little overkill, but I imagine that was just an attempt to cover everything since nothing was working.

I just tried adding Pure Chat to my test site as an experiment. I could get it working on Chrome using a hash, but it wasn’t enough for Safari and Firefox. I ran it by Penar and this does appear to be one of those unfortunate situations that will requrire 'unsafe-inline' as mentioned in:


@BishopV I think your only option if you choose to stay with Pure Chat is to remove all of the entries you have in that setting and add 'unsafe-inline' at the cost of security.

Have you considered using HubSpot chat integration instead? That appears to play very well with our CSP policy.

2 Likes

Regardless, the worst possible outcome is for someone to hard-code 20 unique URLs from the same domain…

2 Likes

thanks for the assist , i think now hubspot is my solution . im glad choose Discourse is my backend a lot of help and support here.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.