Description
Describe the bug
The page requested an origin-keyed agent cluster using the Origin-Agent-Cluster header, but could not be origin-keyed since the origin 'http://api-bus-dev-logto-alb-1318319121.us-east-2.elb.amazonaws.com' had previously been placed in a site-keyed agent cluster. Update your headers to uniformly request origin-keying for all pages on the origin.
console/:8 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://cdn.jsdelivr.net/ blob:". Either the 'unsafe-inline' keyword, a hash ('sha256-eilBMQpwub+m0j5L9qySqrJgkxkZBfFtxbNdcmgZCmA='), or a nonce ('nonce-...') is required to enable inline execution.
sign-in-experience.ts:28 Uncaught (in promise) ReferenceError: logtoSsr is not defined
at c3 (sign-in-experience.ts:28:16)
at use-sign-in-experience.ts:16:45
at use-sign-in-experience.ts:19:37
c3 @ sign-in-experience.ts:28
(anonymous) @ use-sign-in-experience.ts:16
(anonymous) @ use-sign-in-experience.ts:19
Expected behavior
When deploying Logto behind an AWS ALB, the Admin (“/console”) UI loads with HTTP 200 but renders a blank page. In the browser console I see:
CSP violation
kotlin
Copy
Edit
Refused to execute inline script because it violates ... Content-Security-Policy directive: "script-src 'self' https://cdn.jsdelivr.net blob:". Either the 'unsafe-inline' keyword, a hash (...), or a nonce is required to enable inline execution.
Uncaught ReferenceError
csharp
Copy
Edit
logtoSsr is not defined
at sign-in-experience.ts:28:16
Origin-Agent-Cluster warning
nginx
Copy
Edit
The page requested an origin-keyed agent cluster … but could not be origin-keyed …
Because the default CSP header doesn’t allow inline scripts, Logto’s built-in “bootstrap” snippet (which sets up window.logtoSsr) never runs, so the React UI never hydrates.
Steps to Reproduce
Deploy the official Logto Docker image behind an AWS Application Load Balancer.
ALB listener rules forward /console and /console/* to port 3002 (the Admin target group).
Environment variables do not override the default CSP.
Open http:///console/ in Chrome.
Actual Behavior
The browser fetches console/ and all assets (200 OK)
No UI appears, page remains blank
Console errors show CSP blocking the inline bootstrap script and logtoSsr is not defined.
Expected Behavior
Admin UI loads normally and displays the login/signup screen.
No CSP violations, and window.logtoSsr is initialized.
How to reproduce?
When deploying Logto behind an AWS ALB, the Admin (“/console”) UI loads with HTTP 200 but renders a blank page. In the browser console I see:
CSP violation
kotlin
Copy
Edit
Refused to execute inline script because it violates ... Content-Security-Policy directive: "script-src 'self' https://cdn.jsdelivr.net blob:". Either the 'unsafe-inline' keyword, a hash (...), or a nonce is required to enable inline execution.
Uncaught ReferenceError
csharp
Copy
Edit
logtoSsr is not defined
at sign-in-experience.ts:28:16
Origin-Agent-Cluster warning
nginx
Copy
Edit
The page requested an origin-keyed agent cluster … but could not be origin-keyed …
Because the default CSP header doesn’t allow inline scripts, Logto’s built-in “bootstrap” snippet (which sets up window.logtoSsr) never runs, so the React UI never hydrates.
Steps to Reproduce
Deploy the official Logto Docker image behind an AWS Application Load Balancer.
ALB listener rules forward /console and /console/* to port 3002 (the Admin target group).
Environment variables do not override the default CSP.
Open http:///console/ in Chrome.
Actual Behavior
The browser fetches console/ and all assets (200 OK)
No UI appears, page remains blank
Console errors show CSP blocking the inline bootstrap script and logtoSsr is not defined.
Expected Behavior
Admin UI loads normally and displays the login/signup screen.
No CSP violations, and window.logtoSsr is initialized.
Environment
Logto OSS (Self deployed)
Screenshots
No response