Disqus only works when scripts fail Content Security Policy

Question

I've been battling an intermittent issue with Disqus on a blog page. The issue has been difficult to pin down as it will work sporadically.

Managed to pin the issue down to this:

1. If the following scripts fail to load due to Content Security Policy then everything works fine and the iframe shows.

2. Adding the domain to the authorised domain list on Disqus has allows the following progress, and the issue is now less common, however it's still not perfect, refreshing the page will prevent the iframe loading, refresh again and it appears!!

If anyone has any ideas how I can get this working properly it would be greatly appreciated.

Answer 1

From what it looks like there are few directive missing from you CSP exclusion list. I would suggest following:

1. Use tools like report-uri to report CSP violations on your domain. Report-URI is life saver, I'm speaking from my experience.

2. If you are applying the CSP policy for the first time in your application, then start with CSP-Report only.

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

This is important because you cannot manually check all the violations. It is better that you determine all the violations over a period of time and make your CSP policy more restrictive.

2. Once, you have a confidence with your CSP policy then you can create a CSP policy with more confidence. However, ensure that you still report the violations to report-uri or your logging.

Much of these things are trial and error as you do not know what scripts your "trusted" 3rd-party libraries are using. You also cannot control if their code/ implementation change under the hood. Hence, monitoring helps you to continuously determine a violation and take appropriate action.