On our static site we have set 2 Content Security Policy headers, one for the rest of the site and one for this particular page. On that page we are seeing what appears to be random switching between the 2 headers when the page is refreshed or loaded causing the app on the page to be disabled.
The attached gifs illustrate the problem: Sometimes the page loads fine, refresh again and sometimes it throws an error about Content Security Policy which is being used on the other pages.
Load page and it breaks:
Load same page a second later and it’s fine
And a reload later of the same page a second later and it breaks again
Just to reiterate that in between page loads there have been no external changes that could cause this: I am not clearing cache and not rebuilding the server. It’s all happening within same window/session a few seconds apart.
This is a big problem for us because the app on the page is non-functional when the CSP throws the error, we’ve set up an automated test to alarm when it changes and it seems completely intermittent.
Does anyone have any idea what is going on or how to fix it? Some overzealous caching by Cloudflare perhaps? Any ideas or similar experiences would be greatly appreciated.
Hey Mike,
I took a look at the headers you define on your service and those that returned when a request is made - each time the request fails it relates to the jsd-widget.atlassian.com - is that something you’re loading? A ‘clean’ load shows the content-security-policy as you exactly have it set but I’m suspicious that something outside of Render is messing with it here.
Yes we are loading the Jira Service widget on that page via a script tag. The error is highlighting jsd-widget (Jira Service widget) as that’s not cleared by the stricter (longer) version of content-security-policy, so that’s why it relates to the failed request.
The header is swapping back and forth randomly, I think it might be a server caching issue and I wonder if there’s any correlation between failed requests and cloudflare headers…
Here’s another gif that shows the different content-security-policy headers being loaded after a few seconds reload on the same page just to re-illustrate, but I’m still clueless.
Or could it be something going on with the way we’ve set the header for that particular page?
Oh, are you saying that the longer policy was one that you previously yourself added and it’s not the policy that you presently have set being fudged by something in the request?
There are 2 versions of the same header, one version is set for all pages, the other version is set for the page /header-test. Randomly though when requesting Render header test the header will change between versions. See new gif to illustrate:
Hopefully this makes it clearer. The same header is switching values between header-foo-1 and header-foo-2
The headers are set in the render.yaml. The issue is either with the way the header is set or caching I think.
This is the odd thing, mostly it will work and then intermittently it will break. Sometimes removing trailing slash will break. I don’t get consistent behaviour to be able to tell you how.
I’ve done some further testing in Chrome and Curl and I think it’s something to do with the way that we’ve set the header with the wildcard.
The problem is trailing slashes, I think, to get around people hitting our URL with and without trailing slashes we tried using the following headers settings:
Header setting scenario 1
Request path
Header name
Header value
/*
X-Foo
header-foo-1
/header-test
X-Foo
header-foo-2
/header-test/
X-Foo
header-foo-2
If URL requested includes a trailing slash e.g. /header-test/ and the headers are set as above then we were seeing the following happen:
No, I don’t think there is anything further that needs to be said on the subject.
I think for future reference it would be a good idea to document what can and can’t be done when setting headers as the behaviour is unexpected in scenario 1 and 2 stated above. We spent an inordinate amount of time trying to figure out what was wrong in the randomness we were seeing not knowing whether it was app changes, cache issues or something else.