Am I being a donkey but I can’t see how to the search the community forum pages for a key word. Where is the search function?
Hello. Click on the little magnify glass in the top right. It’s by the letter in a circle
Hello @SESI
It looks like the below screenshots, I have seen issues displaying this on older browsers, if you are not seeing this please try an alternate browser.
It’s not just “older browsers”, it doesn’t work at present with the latest Firefox either. It’s still the same issue that was reported back in January:
where your CDN is doing a 301 redirect for the SVG icons to a URL that is not permitted by the Content-Security-Policy. You may need to reach out to Discourse again, or see if you can add https://community.quickfile.co.uk/svg-sprite/ to the list of allowed script-src in the Discourse settings.
I have still the same problem
ian_roberts is spot on. It shows in Chrome but not Firefox. Here is the Chrome screenshot which has the grey search icon top right…
And that is the latest version of Firefox btw.
@SESI / @awariat - I’m trying to replicate this on Firefox 170.0 (64-bit), but everything appears to load fine.
Do you notice it on any page in particular? Is it definitely the same version?
@QFMathew it’s likely a cacheing difference - I definitely see the problem on FF 107.0 but it may work for you if your browser already has a cached copy of the relevant files. Open up developer tools (right-click anywhere, inspect), go to the “network” tab and tick the “disable cache” box at the top, then reload with your dev tools open and see if that makes a difference.
It’s also possible that the problem is specific to a subset of the CDN’s edge servers and you are hitting a different one from us.
As I say, the issue is definitely the redirect.
https://qfcommunity.b-cdn.net/svg-sprite/community.quickfile.co.uk/svg-3-b1d5d387430c32bc4511767e5d9261e9c9ab69ed.js
is doing a 301 permanent redirect to
https://community.quickfile.co.uk/svg-sprite/community.quickfile.co.uk/svg-3-b1d5d387430c32bc4511767e5d9261e9c9ab69ed.js
The Discourse Content-Security-Policy permits the former as a source for scripts but not the latter, Chromium-based browsers treat that as allowed but Firefox needs the redirect target to be permitted as well as the source.
1 Like
I didn’t believe it was a caching issue earlier as I don’t use Firefox normally, but disabling the cache does indeed present the issue.
We’ve made a change in the settings, which does make the icons show up on my side. Hopefully that does the job all round 
No change on my side yet (with or without dev tools “disable cache”) but I guess if it is a CDN thing it might take a while to propagate. Will check again tomorrow.
1 Like
Still looks the same for me in Firefox. I notice you have amended the CSP now and added
community.quickfile.co.uk/svg-sprite
as a script-src, but this needs to be
https://community.quickfile.co.uk/svg-sprite/
with the https:// protocol and the trailing forward slash - sources in CSP can be
- just a hostname with no protocol and no path (e.g.
qfcommunity.b-cdn.net), which matches anything on that host regardless of path or protocol (both http and https) - a single URL not ending with a slash, which matches that specific URL and nothing else
- a URL prefix that does end with a slash, which matches any URL that starts with that prefix
i.e. /svg-sprite matches just /svg-sprite, but /svg-sprite/ matches /svg-sprite/anything/at/all
I’m also getting a load of similar failures for various https://qfcommunity.b-cdn.net/theme-javascripts/ URLs that are now 301 redirecting to the equivalent on https://community.quickfile.co.uk/theme-javascripts/, so you probably need to add
https://community.quickfile.co.uk/theme-javascripts/
as another additional script-src.
I’ve never bothered looking into this in detail as I hate Discourse and don’t really care why it doesn’t work but I always assumed it was because the images were being loaded from elsewhere and something was blocking it. It hasn’t worked for me for at least 2 or 3 years at least on any version of FF that I have used in those years (always pretty much up to date). It doesn’t load the images in buttons etc on any page across the community site.
The “fix” is to hit Ctrl-F5 when the page loads so this suggest sit is an issue with caching something. I also use uBlock Origin and Ghostery so maybe that is also blocking cross domain loading or something. Once the page is reloaded/cache refreshed the rest of the site used to work fine again, although I have noticed today I have to do Ctrl-F5 every time a page is loaded so that is also now worse than it used to be.
I’m not seeing the search or menu images in Firefox either (current version), but if I hover rmy cursopr to the left of the circle I see grey squares with ‘search’ and ‘menu’ as image text and the cursor changes to a hand, so I think it will probably work. And I’ve just noticed, in the box where I’m typing this text, there are a load of other invisible icons for invoking html attributes (strong, emphasis etc) and a final one that shows as a grey square but has no assiciated test hint so I don’t know what it does. Wonder what else we’re missing? This is pretty basic, haven’t encountered it on other sires, would be great if it could be fixed?
@ian_roberts , @Lurch , @bventure
Can I just check if this is still an issue for you since the changes we made to the settings earlier.
That’s very weird, as far as I can see the CSP hasn’t changed - it still lists community.quickfile.co.uk/svg-sprite and not https://community.quickfile.co.uk/svg-sprite/ - and the icons still fail to appear for me in Firefox in a normal window. But they do appear if I open a private browsing window…
No change for me Steve, still only see grey squares when I hover the cursor where the icons should be.
I just wanted to check in on this and see if this remains to be an issue for you? I’m still unable to replicate this using FireFox and no errors are logged in the developer’s console.
It was still broken for me until I opened my developer tools and re-loaded the page with “disable cache”. It seems like the qfcommunity.b-cdn.net CDN is now delivering the offending files again directly with a 200 response, rather than the 301 to community.quickfile.co.uk that caused the errors before, but because 301 is by definition a permanent redirect browsers are supposed to cache them forever - once a browser has had a 301 for a particular URL it need never double-check with the original origin server ever again.
A 301 is an extremely strong assertion, it’s the server saying “the thing that was once at URL X will never be here again, in future you should always look at Y instead”. If the intended semantics were “the thing you want is not here now, but it might be back later” then the CDN should be using 302 rather than 301. I had to force Firefox to ignore the cached 301 so it would go back to qfcommunity.b-cdn.net, at which point it was able to download the files without failing the CSP.
But I still stand by my original comment that the correct course of action here is for you to fix your Content-Security-Policy header - remove the erroneous community.quickfile.co.uk/svg-sprite from script-src and include the correct https://community.quickfile.co.uk/svg-sprite/ and https://community.quickfile.co.uk/theme-javascripts/ instead, that way if the same thing ever happens again and your CDN happens to temporarily issue 301 redirects for these resources then those won’t break users on Firefox.
1 Like