Cloudflare Developers•5mo ago

I cant seem to get Zaraz to work with a

I cant seem to get Zaraz to work with a basic website hosted on Google Sites behind a CloudFlare proxied domain. I am getting the following error in my browser console:

Refused to load the script 'https://MY_DOMAIN/cdn-cgi/zaraz/s.js?z=JTdCJTIyZXhlY3V0ZWQlMjIlM0ElNUIlNUQlMkMlMjJ0JTIyJTNBJTIyQWFyYW51aSUyMFNvbHV0aW9ucyUyMiUyQyUyMnglMjIlM0EwLjE2Nzk2NjEzMDk3NjExMTEzJTJDJTIydyUyMiUzQTczNSUyQyUyMmglMjIlM0E5NTYlMkMlMjJqJTIyJTNBOTQ5JTJDJTIyZSUyMiUzQTczNCUyQyUyMmwlMjIlM0ElMjJodHRwcyUzQSUyRiUyRnd3dy5hcmFudWkuc29sdXRpb25zJTJGJTIyJTJDJTIyciUyMiUzQSUyMiUyMiUyQyUyMmslMjIlM0EzMCUyQyUyMm4lMjIlM0ElMjJVVEYtOCUyMiUyQyUyMm8lMjIlM0EtNzgwJTJDJTIycSUyMiUzQSU1QiU1RCU3RA==' because it violates the following Content Security Policy directive: "script-src 'report-sample' 'nonce-354ZfNQ0DskSeBwhmaqMLw' 'unsafe-inline' 'unsafe-eval' 'nonce-aadf72f0-c758-4bfc-8ae8-6a283579b97d'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Refused to load the script 'https://MY_DOMAIN/cdn-cgi/zaraz/s.js?z=JTdCJTIyZXhlY3V0ZWQlMjIlM0ElNUIlNUQlMkMlMjJ0JTIyJTNBJTIyQWFyYW51aSUyMFNvbHV0aW9ucyUyMiUyQyUyMnglMjIlM0EwLjE2Nzk2NjEzMDk3NjExMTEzJTJDJTIydyUyMiUzQTczNSUyQyUyMmglMjIlM0E5NTYlMkMlMjJqJTIyJTNBOTQ5JTJDJTIyZSUyMiUzQTczNCUyQyUyMmwlMjIlM0ElMjJodHRwcyUzQSUyRiUyRnd3dy5hcmFudWkuc29sdXRpb25zJTJGJTIyJTJDJTIyciUyMiUzQSUyMiUyMiUyQyUyMmslMjIlM0EzMCUyQyUyMm4lMjIlM0ElMjJVVEYtOCUyMiUyQyUyMm8lMjIlM0EtNzgwJTJDJTIycSUyMiUzQSU1QiU1RCU3RA==' because it violates the following Content Security Policy directive: "script-src 'report-sample' 'nonce-354ZfNQ0DskSeBwhmaqMLw' 'unsafe-inline' 'unsafe-eval' 'nonce-aadf72f0-c758-4bfc-8ae8-6a283579b97d'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Here is the Content-Security-Policy header for the domain:

base-uri 'self'; object-src 'none'; report-uri /_/view/cspreport; script-src 'report-sample' 'nonce-0j9hWHckFcZ97YG1tpu_ww' 'unsafe-inline' 'unsafe-eval' 'nonce-ad89c5b2-078b-4aec-8d87-8cbbb5421842'; worker-src 'self'; frame-ancestors https://google-admin.corp.google.com/

base-uri 'self'; object-src 'none'; report-uri /_/view/cspreport; script-src 'report-sample' 'nonce-0j9hWHckFcZ97YG1tpu_ww' 'unsafe-inline' 'unsafe-eval' 'nonce-ad89c5b2-078b-4aec-8d87-8cbbb5421842'; worker-src 'self'; frame-ancestors https://google-admin.corp.google.com/

1 Reply

Zapper™•5mo ago

For reference, this can be worked-around by using a response header transform rule to remove the Content-Security-Policy header, but this obviously disables CSP.

Gaming

Programming

I cant seem to get Zaraz to work with a