这是indexloc提供的服务,不要输入任何密码
Skip to content

fix: can not load external script & Unable to get disqus config of shorname #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 24, 2021
Merged

fix: can not load external script & Unable to get disqus config of shorname #308

merged 2 commits into from
Dec 24, 2021

Conversation

@llovvoll
Copy link
Contributor

@llovvoll llovvoll commented Dec 23, 2021
edited
Loading

Screen Shot 2021-12-24 at 1 08 35 AM

  1. Fix unable to load external js (Google Analytics and comment function), because Content Security Policy did not add the above to the whitelist Add security headers - fixes #304 #307
    Reproduce: https://tailwind-nextjs-starter-blog.vercel.app/blog/new-features-in-v1

  2. Fix unable to get disqus config of shorname

@vercel
Copy link

vercel bot commented Dec 23, 2021

Someone is attempting to deploy a commit to a Personal Account owned by @timlrx on Vercel.

@timlrx first needs to authorize it.

@AlexanderZeilmann
Copy link
Contributor

AlexanderZeilmann commented Dec 23, 2021

Ahh right, I forgot them, sorry 🙈
While we are at it, maybe we should also add the URLs for the other analytics scripts (plausible.io, scripts.simpleanalyticscdn.com and vitals.vercel-insights.com).

@llovvoll
Copy link
Contributor Author

llovvoll commented Dec 23, 2021

Ahh right, I forgot them, sorry 🙈 While we are at it, maybe we should also add the URLs for the other analytics scripts (plausible.io, scripts.simpleanalyticscdn.com and vitals.vercel-insights.com).

I have updated the whitelist, thank you for your contribution 🍻

@AlexanderZeilmann
Copy link
Contributor

AlexanderZeilmann commented Dec 24, 2021

I just figured out that we do not have to put vitals.vercel-insights.com in the CSP, as we do not load scripts from there but only send pings, which is already allowed by connect-src *;.
I thought that the CSP was blocking vitals.vercel-insights.com on my site, but it was actually my ad-blocker 🙄

@timlrx
Copy link
Owner

timlrx commented Dec 24, 2021

I preference would be to only add giscus.app to the CSP so that it works for this demo. Users who clone the template would have to configure the CSP based on other integrations which they opted in for. Yes, it's a little more hassle this way but I think it's better than whitelisting every analytics or comment provider.

@llovvoll
Copy link
Contributor Author

llovvoll commented Dec 24, 2021
edited
Loading

I preference would be to only add giscus.app to the CSP so that it works for this demo. Users who clone the template would have to configure the CSP based on other integrations which they opted in for. Yes, it's a little more hassle this way but I think it's better than whitelisting every analytics or comment provider.

I agree with you, although this will affect the user experience, because we are hard to dynamically generate CSP, so we agree to only add giscus.app

@timlrx
Copy link
Owner

timlrx commented Dec 24, 2021

Yes, this was also discussed in the issue by Alexander. There's a bit of trade-off between having a better default security practice vs ease of setting up the template.

@11006281 11006281 force-pushed the fix/can-not-load-external-script branch from ed38e22 to f62ff2d Compare December 24, 2021 02:14
@vercel
Copy link

vercel bot commented Dec 24, 2021
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/timlrx/tailwind-nextjs-starter-blog/Ebf2bNNZMAhv4KKxrfo9i9QMcehE
✅ Preview: https://tailwind-nextjs-starter-blog-git-fork-llovvoll-fi-1d62fe-timlrx.vercel.app

@timlrx timlrx merged commit 0082534 into timlrx:master Dec 24, 2021
@11006281 11006281 deleted the fix/can-not-load-external-script branch January 13, 2022 09:54
Meez25 pushed a commit to Meez25/Blog that referenced this pull request Jun 17, 2024
@timlrx
Merge pull request timlrx#308 from llovvoll/fix/can-not-load-external…
34fa2da 
…-script

fix: can not load external script & Unable to get disqus config of shorname
bhiwagade-rahul pushed a commit to bhiwagade-rahul/tailwind-nextjs-starter-blog that referenced this pull request Sep 22, 2025
@timlrx
Merge pull request timlrx#308 from llovvoll/fix/can-not-load-external…
689da33 
…-script

fix: can not load external script & Unable to get disqus config of shorname
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timlrx timlrx timlrx approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@llovvoll @AlexanderZeilmann @timlrx