[CSP] Chrome, ERR_SPDY_PROTOCOL_ERROR, and an invalid HTTP header

0E800

Just wanted to follow up with a issue I was able to resolve.

Issue:

Chrome loaded Flarum site yesterday, today chrome would not load site, but Firefox would.

Error in Chrome:

Pasting in Chrome address bar:
chrome://net-internals/#events

You can see the HTTP/2 protocol details:

Checking my Nginx config, the CSP Headers looked like

add_header Content-Security-Policy "default-src 'self' https://*.keys-daggers.org https://www.google.com https://*.youtube.com; 
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://en.gravatar.com https://cdn.pubnub.com/pubnub.js  https://www.gravatar.com https://*.keys-daggers.org https://pastebin.com https://www.google.com https://www.gstatic.com  https://cdnjs.cloudflare.com; 
style-src 'self' 'unsafe-inline' https://*.keys-daggers.org https://cdnjs.cloudflare.com https://netdna.bootstrapcdn.com https://fonts.googleapis.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com https://keys-daggers.org https://unsplash.it https://*.ssl-images-amazon.com https://*.imgur.com https://cdn.jsdelivr.net; font-src 'self' https://*.keys-daggers.org https://cdnjs.cloudflare.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; connect-src 'self' https://*.pubnub.com; 
media-src 'self'; object-src 'self'; form-action 'self'; 
upgrade-insecure-requests; 
block-all-mixed-content; 
report-uri https://keysdaggers.report-uri.io/r/default/csp/enforce;";

It all looked good and like said, worked fine in Chrome just the other day. The site also worked in Firefox.
It wasnt until I copied and pasted above code into https://nginxbeautifier.com/ that I noticed my line breaks also broke the content security policy (didn't respect the quotations). It wasn't until I made the CSP all one line that Chrome rendered the page.

Correct CSP:

add_header Content-Security-Policy "default-src 'self' https://*.keys-daggers.org https://www.google.com https://*.youtube.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://en.gravatar.com https://cdn.pubnub.com/pubnub.js  https://www.gravatar.com https://*.keys-daggers.org https://pastebin.com https://www.google.com https://www.gstatic.com  https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://*.keys-daggers.org https://cdnjs.cloudflare.com https://netdna.bootstrapcdn.com https://fonts.googleapis.com https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com https://keys-daggers.org https://unsplash.it https://*.ssl-images-amazon.com https://*.imgur.com https://cdn.jsdelivr.net; font-src 'self' https://*.keys-daggers.org https://cdnjs.cloudflare.com https://fonts.gstatic.com https://netdna.bootstrapcdn.com; connect-src 'self' https://*.pubnub.com; media-src 'self'; object-src 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; report-uri https://keysdaggers.report-uri.io/r/default/csp/enforce;";

Source reference and credit:
https://www.michalspacek.com/chrome-err_spdy_protocol_error-and-an-invalid-http-header