CSP error with Disqus on github pages

925 views Asked by At

I have a jekyll based blog on github pages with comments served by Disqus. Or to be more precise: they used to get served by Disqus. I discovered, that the Disqus stuff fails to load.

In Chrome I see the following error in the console:

Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJdmFyIG5vb3BmbiA9IGZ1…gpKTsKCQkJfQoJCX0KCX0pKCk7Cgl3aW5kb3cuX2dhcSA9IGdhcS5xZiA9IGdhcTsKfSkoKTs=' because it violates the following Content Security Policy directive: "script-src https://.twitter.com: https://a.disquscdn.com .services.disqus.com: https://c.disquscdn.com http://.twitter.com: https://apis.google.com/js/api.js http://a.disquscdn.com https://cdn.syndication.twimg.com/tweets.json https://.services.disqus.com: https://connect.facebook.net/en_US/sdk.js https://referrer.disqus.com/juggler/ 'unsafe-eval' a.disquscdn.com http://disqus.com https://ssl.google-analytics.com https://disqus.com".

I first thought Disqus is doing something stupid, but I found this article which makes me think I'm doing something wrong, like using jquery to load Disqus. But I don't see what is causing the problem.

Another thought I had is, that maybe my cookie banner or privace badger is causing problems, but Privacy Badger is configured to only block google analytics on the site and even allowing that, doesn't make it work.

Also everything works as intended when running jekyll serve locally.

And I excluded the cookie banner as the source of the problem, by removing it temporarly, without any effect on Disqus

I don't think this SO question is the same problem, because I don't have an iframe.

My actual question consists of three parts:

  1. How do I debug such a problem?
  2. What is the root cause of the problem?
  3. And how do I fix it?
1

There are 1 answers

3
Ry- On BEST ANSWER

In your disqus_config, you have:

this.page.url = 'http://blog.schauderhaft.dehttp://blog.schauderhaft.de/';

because of the combination of a hardcoded base URL and | prepend: site.url in _includes/disqus.html:

this.page.url = 'http://blog.schauderhaft.de{{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url }}';

This should work fine:

this.page.url = '{{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url }}';

The CSP error should disappear if you disable all extensions. It might be an attempt by Disqus to work around blockers that they don’t test properly with CSP enabled; hard to tell without the source.