Published on

'Error with Permissions-Policy'? Disqus Content Security Policy Code


    John Partee

I was setting up the comments for WorthHearing, my new music blog, when I ran into an issue with Disqus and my content security policy (CSP) that wasn't well documented.

Error with Permissions-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.

A CSP essentially tells our browser where to allow code to run, and where it can pull data from. If you are using a CSP (and you probably should!), you'll need these lines to make Disqus work.

Make sure to include your Disqus subdomain, in my case:


  script-src 'unsafe-eval' 'unsafe-inline' https://*your-shortname*

If you have any of these keys (like script-src), you'll need to combine the above with your old security policy. In my case, it looked like:


  default-src 'self';
  script-src 'self' 'unsafe-eval' 'unsafe-inline';
  style-src 'unsafe-inline';
  img-src * blob: data:;
  connect-src *;

The CSP above is kind of lazy. It's really not smart to use *'s to allow any source on any of these policies, but I'm not as worried about security with a static site. The big thing is enabling comments here!

Which is working now!

Huge thanks to who did all of the work for me.

Want an email when we post?

Free, weekly at most. We hate spam too.