Trouble with content security policy
Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).
Content Security Policy could be delivered 2 ways:
- via HTTP header
Content-Security-Policy:
(prefereed) - via meta-tag (restricted possibilities)
So you need to check for double <meta http-equiv="Content-Security-Policy"
in the HTML code.
And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers):
Refused to load the script because it violates the following Content Security Policy directive
It was solved with:
script-src 'self' http://xxxx 'unsafe-inline' 'unsafe-eval';
Content Security Policy problem with Cloudflare
Cloudflare's JavaScript Detection service is a very bad feature. Switch it off if you can, because CSP is intended to block such script injection made by ISP. Since injected script does not sent response to Cloudflare, the Cloudflare treat browser as a bot with no JS execution.
Netlify is a static file hosting therefore you have no chance to allow inline scripts with 'nonce-value'
, only 'hash-value'
can be used. But you have no control over injected inline script so any change of code leads to blocking it.
Or just ignore this CSP violation, it does not lead to a disruption of the functioning of the site.
There is no beautiful solution to your problem, you only can raise a issue in Cloudflare and ask them to migrate this inline script to the external script and whitelist it.
Note: This is not the only problem when proxying traffic through Cloudflare, but any time you can stop using Cloudflare as proxy and use it as DNS server only. Just press the bypass button.
Related Topics
How to Vertically Align Text Inside a Flexbox
How to Disable the Resizable Property of a Textarea
How to Avoid Joining All Text from Nodes When Scraping
Invert CSS Font-Color Depending on Background-Color
Making a Div Vertically Scrollable Using Css
Html Parsing of Cricinfo Scorecards
Two Inline-Block Elements, Each 50% Wide, Do Not Fit Side by Side in a Single Row
Difference Between Id and Class in Css, and When Should I Use Them
Generate an HTML Response in a Java Servlet
What Is Href="#" and Why Is It Used
Inputting a Default Image in Case the Src Attribute of an HTML ≪Img≫ Is Not Valid
Why Does the Outer ≪Div≫ Here Not Completely Surround the Inner ≪Div≫
Css Content Generation Before or After 'Input' Elements
When to Use the !Important Property in Css
Getting the Source HTML of the Current Page from Chrome Extension