Lost ability to scroll through HA community site

Arosuto93081 · December 22, 2023, 12:03pm

Hi all, since a few weeks I lost the ability to scroll through the HA community site. There also seems to be an object in the foreground when I reload the site that I mus block in order to click any buttons. I initially didn’t complain about it because I thought that the devs would repair the issue but this hasn’t happened as of yet. Does anyone else experience this issue? I tested it on Brave Browser and on Google Chrome, and both have this issue. Help is very welcome.

rvst1 · January 3, 2024, 2:16pm

Have you ever found a solution for that? I do have the same issue. It seems to happen in Chrome for me but only when im logged. Deleting cookies for the community site and the logging in and I can´t scroll again. Firefox is working for me. Edge aswell, so nothing to do with Chromium.

Using Chrome in Incognito works as long as I log in. After that I can´t scroll again.

maxistviews · January 4, 2024, 5:33pm

I am also having this problem. The easiest way to “solve” it for a page is to press Ctrl + F5, but the issue returns whenever I navigate to a new page.

Here are the error logs for my browser’s console - in case that helps:

Console log

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://community.home-assistant.io/logs/ https://community.home-assistant.io/sidekiq/ https://community.home-assistant.io/mini-profiler-resources/ https://community-assets.home-assistant.io/assets/ https://community.home-assistant.io/extra-locales/ https://community.home-assistant.io/highlight-js/ https://community.home-assistant.io/javascripts/ https://community.home-assistant.io/plugins/ https://community.home-assistant.io/theme-javascripts/ https://community.home-assistant.io/svg-sprite/ 'sha256-8uakdak4qxxceyzl0wxad2nnj2tgkya14hybh66pnn0=' 'unsafe-eval' https://community-assets.home-assistant.io/assets/ https://community.home-assistant.io/assets/". Either the 'unsafe-inline' keyword, a hash ('sha256-8uAKDaK4QxxCeYZl0Wxad2Nnj2tgKyA14hYBh66pnn0='), or a nonce ('nonce-...') is required to enable inline execution.

/t/is-this-the-perfect-standalone-tablet-for-ha/658422/104:1  Refused to load the script 'https://static.cloudflareinsights.com/beacon.min.js/v84a3a4012de94ce1a686ba8c167c359c1696973893317' because it violates the following Content Security Policy directive: "script-src https://community.home-assistant.io/logs/ https://community.home-assistant.io/sidekiq/ https://community.home-assistant.io/mini-profiler-resources/ https://community-assets.home-assistant.io/assets/ https://community.home-assistant.io/extra-locales/ https://community.home-assistant.io/highlight-js/ https://community.home-assistant.io/javascripts/ https://community.home-assistant.io/plugins/ https://community.home-assistant.io/theme-javascripts/ https://community.home-assistant.io/svg-sprite/ 'sha256-8uakdak4qxxceyzl0wxad2nnj2tgkya14hybh66pnn0=' 'unsafe-eval' https://community-assets.home-assistant.io/assets/ https://community.home-assistant.io/assets/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

2deprecated.js:53  [THEME 16 'Extra Composer Buttons'] Deprecation notice: `addToolbarPopupMenuOptionsCallback` has been renamed to `addToolbarPopupMenuOption` [deprecated since Discourse 3.2] [removal in Discourse 3.3] [deprecation id: discourse.add-toolbar-popup-menu-options-callback]
a @ deprecated.js:53
plugin-api.js:145  [THEME 16 'Extra Composer Buttons'] To prevent errors in tests, add a `pluginId` key to your `modifyClass` call. This will ensure the modification is only applied once.
Ce @ plugin-api.js:145
2plugin-api.js:145  [THEME 26 'Unformatted Code Detector'] To prevent errors in tests, add a `pluginId` key to your `modifyClass` call. This will ensure the modification is only applied once.
Ce @ plugin-api.js:145
/t/is-this-the-perfect-standalone-tablet-for-ha/658422/104:1 [Intervention] Images loaded lazily and replaced with placeholders. Load events are deferred. See https://go.microsoft.com/fwlink/?linkid=2048113
body_tag_1.js:2  Uncaught TypeError: Cannot read properties of undefined (reading 'extend')
    at body_tag_1.js:2:49
/message-bus/c03fa272486e406691b325dcf08f8232/poll:1 
        
        
        Failed to load resource: the server responded with a status of 429 ()
content.js:2  Error: <svg> attribute viewBox: Expected number, "0 0 100% 4".

Arosuto93081 · January 8, 2024, 2:34am

No I haven’t. Thanks for the tip on edge. Using that for now to navigate this site. you don’t have any plugins on by any coincidence?

maxistviews · January 9, 2024, 12:08am

I think @rvst1 meant that he can navigate the page as long as he ISNT logged in. I can corroborate this behaviour - doesn’t matter if Im in incognito or not.

I did find a few more errors in my developer tools that might shed a light on this? There appears to be an image that shows up overtop the forum when you first load it up. It is a preloader-image class, so I assume its meant to be a splash screen of somekind that then doesnt disappear.

It may not be disappearing because of this:

The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts and style sheets.

To solve this, move all inline scripts (e.g. onclick=[JS code]) and styles into external files.

Allowing inline execution comes at the risk of script injection via injection of HTML script elements. If you absolutely must, you can allow inline script and styles by:

adding unsafe-inline as a source to the CSP header

adding the hash or nonce of the inline script to your CSP header.

Some resources are blocked because their origin is not listed in your site’s Content Security Policy (CSP). Your site’s CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.

A site’s Content Security Policy is set either via an HTTP header (recommended), or via a meta HTML tag.

To fix this issue do one of the following:

(Recommended) If you’re using an allowlist for 'script-src', consider switching from an allowlist CSP to a strict CSP, because strict CSPs are more robust against XSS . See how to set a strict CSP .

Or carefully check that all of the blocked resources are trustworthy; if they are, include their sources in the CSP of your site. Never add a source you don’t trust to your site’s CSP. If you don’t trust the source, consider hosting resources on your own site instead.

Perhaps the way these scripts are set up are not compatible with some new guidelines. (No idea)

Im not sure if I can even report this somewhere. I dont think there is a github for the community, is there?

EDIT: It seems that the problem is with <section id="d-splash">. When I delete it, everything works again.

rvst1 · January 9, 2024, 8:29am

I also found a post in the Discourse Forum (I think thats the software the HomeAssistant Community is using) mentioning this exact same error. They mentioned that this might have something to do with the Auto Quality for YouTube™ plugin. I know that I have that installed on my chrome and will try to uninstall it later and see what happens. Discourse forums don't work with Chrome when logged in - #7 by davidrdguez - support - Discourse Meta

Arosuto93081 · January 13, 2024, 12:11pm

I take note of this as “it’s some kind of error with a cookie popup style of splash screen”? That’s what I found out too. If I block the object temporarily, I can at least click on things via Chrome or Brave, but scrolling is still out of the question.

maxistviews · January 13, 2024, 4:56pm

This seems to have been the solution for me. Which is strange because even in private browsing (where the extensions should be disabled) I still had the issue.