Page Preloader breaking Storj Forum interaction - script blocked by chrome

Every time I open up this forum I am unable to interact with the page at all until I do CTRL+F5.

For some reason the preloader is covering the whole page.

image1681×1156 212 KB

It looks like the for the preloader is being blocked by Chrome.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://forum.storj.io/logs/ https://forum.storj.io/sidekiq/ https://forum.storj.io/mini-profiler-resources/ https://storj-s3.bcdn.literatehosting.net/assets/ https://storj-s3.bcdn.literatehosting.net/brotli_asset/ https://forum.storj.io/extra-locales/ https://storj.bcdn.literatehosting.com/highlight-js/ https://storj.bcdn.literatehosting.com/javascripts/ https://storj.bcdn.literatehosting.com/plugins/ https://storj.bcdn.literatehosting.com/theme-javascripts/ https://storj.bcdn.literatehosting.com/svg-sprite/ 'report-sample' 'sha256-rwfdvotzygqmkowfnaex564b66behoel4+grlgqughg=' https://storj.ideas.aha.io https://secure.aha.io/assets/idea_portals/embedded/application.js https://lcstorj-92e2.kxcdn.com https://www.redditstatic.com/ads/pixel.js https://storj.bcdn.literatehosting.com". Either the 'unsafe-inline' keyword, a hash ('sha256-rwfDVOTzygQmkOwFNAeX564B66beHoel4+gRLgQUgHg='), or a nonce ('nonce-...') is required to enable inline execution.

Thank you @TechAUmNu

We will investigate.

I can’t replicate this. Can you identify what it’s trying to load that is getting blocked?

What browser are you using?

Does the problem go away if you access https://forum.storj.io/?safe_mode=no_themes ?

@bre have you experienced this issue or had other reports?

The pageloader contains an inline script which is what gets blocked from running.

image1163×1259 69.3 KB

Chrome 64bit Version 105.0.5195.102

Using safemode fixes the problem. The whole section for the pageloader is not there when using safemode.

I also now tried logging out and that fixes the problem until I log back in…

Did you install this as an App in Chrome? That’s likely the issue. The Content Security Policy for Chrome Apps is causing this. Chrome has stopped support for Chrome Apps

That all being said, it’s better to not use inline javascript and instead reference the script as a separate file to avoid these kinds of things.

Nice work, @Knowledge ! I didn’t know that.

This is in Discourse Core, so it’s nothing about this site. Since Chrome Apps are going away, I suspect that the Discourse developers don’t care much about supporting them. That said, this loader is a new feature and it’s a good bet that they intend to move that code to a script Real Soon Now (unless there is some reason not to?). That’s the kind of thing that they are generally quite careful about, so I suspect that either there is some reason that they are doing that (like after the site loads that gets removed?) or it’s a placeholder while they tweak other things about the feature.

I haven’t installed it as a chrome app. I did just go into the apps chrome://apps and removed JamStash, and the website now works fine… Not entirely sure if removing that was related since I didn’t try the site immediately before removing it today.

For now at least it appears to be fixed.

This is the first report and I have not experienced it on my end

It’s not caused by anything on your site, so it’s in Discourse core. I haven’t seen any similar reports on meta.discourse.org, so my guess is that JamStash was the issue, however unlikely that may seem.

Thank you for getting to the bottom of this weird one