Cloudflare Developers•6mo ago

Cross-Origin Request Blocked, CORS request did not succeed.

I have two websites hosted on the same web server, each using separate domains registered w/ CF. One site is having an issue where an injected script sourced from https://static.cloudflareinsights.com/ appears to be blocked across Edge/Chromium/FF. Error below:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.cloudflareinsights.com/beacon.min.js/vef91dfe02fce4ee0ad053f6de4f175db1715022073587. (Reason: CORS request did not succeed). Status code: (null).

None of the “sha512” hashes in the integrity attribute match the content of the subresource. The computed hash is “z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5HONE8XYXysP+DRNKHfuwve7kxvUdBoaGlODJ6+SfaPg==”.

To my knowledge I haven't willingly enabled any kind of analytics tool outside of basic DNS proxy/caching. Notably, my other domain has proxy/caching enabled as well and is not having this problem. So far I have tried: • Updating site's apache config to the below:

                RewriteEngine On
                RewriteRule ^ - [E=CSP_NONCE:%{UNIQUE_ID}e]
                Header always set Content-Security-Policy "default-src 'self'; style-src 'self' [redacted]; font-src 'self' [redacted]; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; object-src 'none';"
                Header always set Referrer-Policy "strict-origin-when-cross-origin"
                Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
                Header always set X-Frame-Options "SAMEORIGIN"
                Header always set X-Content-Type-Options "nosniff"

                RewriteEngine On
                RewriteRule ^ - [E=CSP_NONCE:%{UNIQUE_ID}e]
                Header always set Content-Security-Policy "default-src 'self'; style-src 'self' [redacted]; font-src 'self' [redacted]; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; object-src 'none';"
                Header always set Referrer-Policy "strict-origin-when-cross-origin"
                Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
                Header always set X-Frame-Options "SAMEORIGIN"
                Header always set X-Content-Type-Options "nosniff"

• Disabling browser cache and reloading • Disabling browser extensions • Visiting Caching > Configuration in the Dashboard to "Purge Everything", then reloading the site So far nothing has solved the issue. I was hoping you guys might have an idea of other things I might try?

17 Replies

GenChadTOP•6mo ago

I have been through at least a dozen cf community posts as well as looked through stack exchange and so far nothing has helped 😦 Notably, when I visit the other site, the script is not injected, and I don't get this error. At this point I would settle for simply removing the script from the problems site but I cannot find the dashboard option to disable it, and I do not want to disable proxying. Thanks in advance for your help!

Erisa•6mo ago

That script comes from the Web Analytics product, which is configured here https://dash.cloudflare.com/?to=/:account/web-analytics It's also confusingly enabled when you click the option to "enable RUM" on Speed > Obsveratory

GenChadTOP•6mo ago

Thank you soooooooo much holy crap I have spent hours researching this problem Is there a guide on how to fix this particular issue in case one decides to use the analytics?

GenChadTOP•6mo ago

Nvm

GenChadTOP•6mo ago

Thanks again!

Erisa•6mo ago

Usually you just need to add static.cloudflareinsights.com to the CORS/CSP headers as an allowed origin for scripts, and it's also worth keeping in mind if you have an ad or tracking blocker on your browser or network it will block it and that can manifest as cross-origin errors also

GenChadTOP•6mo ago

Hmm. I'll have to try playing around with my apache conf some more, as I can ping the hostname just fine All privacy/adblockers are disabled on my browsers for all my domains I've got this line here in my site-specific apache conf but it doesn't seem to have done anything unfortunately

Header always set Content-Security-Policy "default-src 'self'; style-src 'self' [redacted]; font-src 'self' [redacted]; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; object-src 'none';"

Erisa•6mo ago

If you have a page URL with the issue still I can probably have a look - there's a lot of things that error can be caused by, you have to go digging in the network logs to even begin working it out

GenChadTOP•6mo ago

[redacted]

Erisa•6mo ago

the script loads fine when I disable ublock origin and firefox tracking protection

GenChadTOP•6mo ago

Hmm. Weird :p

Erisa•6mo ago

but then the other call to send analytics fails instead:

Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://cloudflareinsights.com/cdn-cgi/rum because it violates the following directive: “default-src 'self'”

this one is because of your CSP header I guess you need cloudflareinsights.com as well as the static subdomain

GenChadTOP•6mo ago

Haven't seen that one yet Going to try messing with my VPN some more I'll add cloudflareinsights.com to my header exceptions. I can live with an issue on my end that I have to figure out as long as it works for everyone else 😅

Erisa•6mo ago

if you have regular users you'll know its working when the analytics fill in with data :P the ones on that dash i linked specifically, the other site-level analytics are different

GenChadTOP•6mo ago

True I'll play around with this some more and see what I get. Thanks again for the help! Figured out the issue. Portmaster was blocking the request 🤦‍♂️

Erisa•6mo ago

😅

GenChadTOP•6mo ago

Portmaster's a great firewall but MAN it is a journey finding your way to sane defaults

Gaming

Programming

Cross-Origin Request Blocked, CORS request did not succeed.