Cloudflare DevelopersCD
Cloudflare Developersโ€ข3y ago
rick

CSP strict-dynamic with nonce still blocking the script email-decode.min.js

How can I achieve the goal of a secure CSP while at the same time allowing for this script to run?

  const csp = [
    `upgrade-insecure-requests`,
    `default-src 'self'`,
    `font-src 'self'`,
    `img-src 'self' data: https: blob:`,
    `script-src 'self' 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'`,
    `style-src 'self' 'unsafe-inline'`,
    `frame-src 'self' 'nonce-${nonce}'`,
    `object-src 'none'`,
    `base-uri 'self'`,
  ];


This was the CSP header I was using at the time, and it worked with all other cloudflare related scripts except for specifically email-decode.min.js. It's weird too because it says that the url of the script is from mydomain.com/cdn-cgi/... Shouldn't that mean it works because the origin domain is still the same as self?
Why is this happening?
Was this page helpful?