CSP issues with CF Fonts and CF Workers (execution order)

In my CF Pages site repo, I use a CF Worker (through

functions/middleware.js

functions/middleware.js

) for, among other things, providing a Content Security Policy. One part of that CSP requires using a nonce to allow

style

style

statements, so — also with the Worker — I inject a nonce into any

style

style

statements that I must use for whatever reason. I'm now testing Cloudflare Fonts and see that my CSP is rejecting the

style

style

statements CF Fonts sets up because that nonce isn't getting injected, presumably because the CF Fonts stuff happens after the Worker runs. Am I correct in assuming that this order can't be changed? And, if that's the case, is my only option to add

unsafe-inline

unsafe-inline

and be done with it?

(Also posted this on the Discourse. If I get an answer on either source, will indicate that and close each accordingly.)

Cloudflare Developers•3y ago

Bryce Wray

CSP issues with CF Fonts and CF Workers (execution order)

In my CF Pages site repo, I use a CF Worker (through

functions/middleware.js

functions/middleware.js

) for, among other things, providing a Content Security Policy. One part of that CSP requires using a nonce to allow

style

style

statements, so — also with the Worker — I inject a nonce into any

style

style

statements that I must use for whatever reason. I'm now testing Cloudflare Fonts and see that my CSP is rejecting the

style

style

unsafe-inline

unsafe-inline

and be done with it?

(Also posted this on the Discourse. If I get an answer on either source, will indicate that and close each accordingly.)

CSP issues with CF Fonts and CF Workers (execution order)

Similar Threads

CSP issues with CF Fonts and CF Workers (execution order)

Similar Threads

Similar Threads

Similar Threads