Trouble With Content Security Policy

Trouble with content security policy

Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).

Content Security Policy could be delivered 2 ways:

• via HTTP header Content-Security-Policy: (prefereed)
• via meta-tag (restricted possibilities)

So you need to check for double <meta http-equiv="Content-Security-Policy" in the HTML code.

And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers):

Refused to load the script because it violates the following Content Security Policy directive

It was solved with:

script-src 'self' http://xxxx 'unsafe-inline' 'unsafe-eval';

Content Security Policy problem with Cloudflare

Cloudflare's JavaScript Detection service is a very bad feature. Switch it off if you can, because CSP is intended to block such script injection made by ISP. Since injected script does not sent response to Cloudflare, the Cloudflare treat browser as a bot with no JS execution.

Netlify is a static file hosting therefore you have no chance to allow inline scripts with 'nonce-value', only 'hash-value' can be used. But you have no control over injected inline script so any change of code leads to blocking it.

Or just ignore this CSP violation, it does not lead to a disruption of the functioning of the site.

There is no beautiful solution to your problem, you only can raise a issue in Cloudflare and ask them to migrate this inline script to the external script and whitelist it.

Note: This is not the only problem when proxying traffic through Cloudflare, but any time you can stop using Cloudflare as proxy and use it as DNS server only. Just press the bypass button.

---

Related Topics