I’m getting a very odd content security policy error with the select2 library on my Edit Post page. The only plugin which uses this on my blog is ACF Pro and I can confirm that disabling ACF Pro the error goes away.
The console error I’m seeing is:
There are a couple of things that are odd about this –
1. Why is it trying to load the resource over http when the site is https?
2. Why is it trying to load the resource from a completely incorrect location?
I searched the source html and the references to select2 are all within the acf pro plugin directory – the URL’s that appear in the screenshot above ARE NOT in my source code!
FYI the content security policy is defined in my .htaccess file and contains the following:
Header set Content-Security-Policy "default-src 'self' www.google.com;script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com maps.googleapis.com www.gstatic.com *.cloudflare.com code.jquery.com https://www.google-analytics.com;connect-src 'self' https://maps.googleapis.com https://maps.gstatic.com yoast.com;img-src 'self' data: https://maps.gstatic.com https://maps.googleapis.com *.gravatar.com s.w.org img.youtube.com https://www.google-analytics.com https://stats.g.doubleclick.net;style-src 'self' 'unsafe-inline' fonts.googleapis.com *.cloudflare.com https://maps.gstatic.com https://use.typekit.net https://p.typekit.net;font-src 'self' fonts.googleapis.com fonts.gstatic.com https://use.typekit.net data:;object-src 'self'"
Can anyone shed any light here? I have deleted my cache and cookies too.
You have something strange going on that is altering the URLs of the scripts. The first step would be to try deactivating other plugins to see if there is some kind of a conflict.
This is only a guess, somewhere, something is trying to load the select2 JS files from a cdn and something else is replacing the domain name with yours as well as loading from non SSL. But that’s only a guess.
wow, looks great. Do you use cloudflare?