Embedded twitter feed not displaying on grav site


Put my grav site laketv8.com behind Cloud Flare and borked the twitter feed as below. It was working fine previously so I apparently need to make some modification to permit it?

Completely ignorant how to do that and been searching for hours. I imagine this is very basic stuff, please forgive my naivete this once. :slight_smile:

Here’s the code in the page: plugin:page-inject using the standard twitterfeed plugin.

Here’s what it appears like instead of the feed:

Neglected to mention that rocket loader is not enabled.

I’m getting this error message:

Content Security Policy: The page’s settings blocked the loading of a resource at https://platform.twitter.com/widgets.js (“default-src”).


Hi thanks!

I presume I should whitelist that widget in Clouflare somehow? That’s where I’m struggling.

If you don’t mind, where do you see the error?

If you open your Browser Developer Tools, go to Console, you’ll see the error. As for correcting Content Security Policy (CSP) issues, that’s on your web server either in the .htaccess file or some security plugin.

Have a look at this site for more about CSP policies.

BTW, platform.twitter.com should be added to script-src and not default-src but it’s not set.


Thank you, found and reviewing that now. I assumed it was on the CF side but see that I should be in htaccess so studying how to do that properly.

1 Like

You’re almost there… are you adding these in .htaccess or some plugin?

default-src ‘self’
script-src platform.twitter.com
frame-src www.youtube.com

1 Like

Sorry for delayed response, up to eyeballs taking over a PEG station that’s been really poorly managed.

I’ve been fiddling with the .htaccess similar to above but haven’t nailed it and there’s a twist.

It fails on chrome and mozilla but works fine on IE which I hadn’t noticed earlier as I usually shun the windows machine here.


Hosted on shared so no access to nginx.conf hosting provider recommends dedicated server lol.

Look like linode time

Dev version here http://larsonnewmedia.com/peg/ works fine. No complaints in console or network.

That all started with Cloudflare somehow?

This topic was automatically closed after 31 days. New replies are no longer allowed.