Hi! We have a problem with some content on cached pages not showing up. We’ve specified that “cookies_and_content_security_policy” shouldn’t be cached in the LiteSpeed Cache Settings, but right now a petition on the front page, and videos on other pages, are blocked for users who are not logged in (as those visitors are served a cached page). Do you have any suggestion about how to fix it, or any debugging tips?
The page I need help with: [log in to see the link]
Everything works without the cache. I’ve also confirmed that if I manually add a specific URI to LiteSpeed’s exclusion list, then the content on that page is loaded (but it would be inconvenient to do that for every page with videos, etc).
I’ve had this exact problem. For reference, here’s a thread I posted last year: https://ww.wp.xz.cn/support/topic/refused-to-load-spotify-embed/. Back then, I thought only my Spotify embeds were affected, but later I realized that all embeds were blocked as soon as the page was cached. I also thought many times that I’d solved the issue, just to visit my site a day later and find that embeds were blocked again. In the end, I resorted to disabling LiteSpeed Cache altogether.
Now I’ve revisited the issue, and I might finally have the solution. In the CCSP FAQ, it says that “cookies_and_content_security_policy” should bee added under LiteSpeed Cache > Cache > Excludes > Do Not Cache Cookies. But this seems to be wrong. This tells LiteSpeed Cache not to cache any page where a cookie in this list appears in the request headers. Thus, on their fist visit, visitors receive a cached page with default CSP headers (no consent), so embeds don’t load. After giving consent the cookie is set, and caching is bypassed for this visitor. However, the page they initially loaded is still in their browser cache with restrictive CSP headers, and the embeds are still not loading.
Instead, “cookies_and_content_security_policy” should bee added to Cache > Advanced > Vary Cookies. Then, after giving consent, the cookie is set, and the visitor now receives the cached version for users who have given consent. This version includes CSP headers that allow embeds from domains specified in Settings > Cookies and Content Security Policy > Domains.
Hope this helps! I’ve only recently tried this, so I’ll keep you posted if anything arises.
