CSP issues with CF Fonts and CF Workers (execution order)
In my CF Pages site repo, I use a CF Worker (through
functions/middleware.js) for, among other things, providing a Content Security Policy. One part of that CSP requires using a nonce to allow style statements, so — also with the Worker — I inject a nonce into any style statements that I must use for whatever reason. I'm now testing Cloudflare Fonts and see that my CSP is rejecting the style statements CF Fonts sets up because that nonce isn't getting injected, presumably because the CF Fonts stuff happens after the Worker runs. Am I correct in assuming that this order can't be changed? And, if that's the case, is my only option to add unsafe-inline and be done with it?
(Also posted this on the Discourse. If I get an answer on either source, will indicate that and close each accordingly.)0 Replies