Cross-Origin Request Blocked, CORS request did not succeed.

I have two websites hosted on the same web server, each using separate domains registered w/ CF. One site is having an issue where an injected script sourced from https://static.cloudflareinsights.com/ appears to be blocked across Edge/Chromium/FF. Error below: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.cloudflareinsights.com/beacon.min.js/vef91dfe02fce4ee0ad053f6de4f175db1715022073587. (Reason: CORS request did not succeed). Status code: (null). None of the “sha512” hashes in the integrity attribute match the content of the subresource. The computed hash is “z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5HONE8XYXysP+DRNKHfuwve7kxvUdBoaGlODJ6+SfaPg==”. To my knowledge I haven't willingly enabled any kind of analytics tool outside of basic DNS proxy/caching. Notably, my other domain has proxy/caching enabled as well and is not having this problem. So far I have tried: • Updating site's apache config to the below:
RewriteEngine On
RewriteRule ^ - [E=CSP_NONCE:%{UNIQUE_ID}e]
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' [redacted]; font-src 'self' [redacted]; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; object-src 'none';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
RewriteEngine On
RewriteRule ^ - [E=CSP_NONCE:%{UNIQUE_ID}e]
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' [redacted]; font-src 'self' [redacted]; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; object-src 'none';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
• Disabling browser cache and reloading • Disabling browser extensions • Visiting Caching > Configuration in the Dashboard to "Purge Everything", then reloading the site So far nothing has solved the issue. I was hoping you guys might have an idea of other things I might try?
17 Replies
GenChadT
GenChadTOP7mo ago
I have been through at least a dozen cf community posts as well as looked through stack exchange and so far nothing has helped 😦 Notably, when I visit the other site, the script is not injected, and I don't get this error. At this point I would settle for simply removing the script from the problems site but I cannot find the dashboard option to disable it, and I do not want to disable proxying. Thanks in advance for your help!
Erisa
Erisa7mo ago
That script comes from the Web Analytics product, which is configured here https://dash.cloudflare.com/?to=/:account/web-analytics It's also confusingly enabled when you click the option to "enable RUM" on Speed > Obsveratory
GenChadT
GenChadTOP7mo ago
Thank you soooooooo much holy crap I have spent hours researching this problem Is there a guide on how to fix this particular issue in case one decides to use the analytics?
GenChadT
GenChadTOP7mo ago
Nvm
No description
GenChadT
GenChadTOP7mo ago
Thanks again!
Erisa
Erisa7mo ago
Usually you just need to add static.cloudflareinsights.com to the CORS/CSP headers as an allowed origin for scripts, and it's also worth keeping in mind if you have an ad or tracking blocker on your browser or network it will block it and that can manifest as cross-origin errors also
GenChadT
GenChadTOP7mo ago
Hmm. I'll have to try playing around with my apache conf some more, as I can ping the hostname just fine All privacy/adblockers are disabled on my browsers for all my domains I've got this line here in my site-specific apache conf but it doesn't seem to have done anything unfortunately Header always set Content-Security-Policy "default-src 'self'; style-src 'self' [redacted]; font-src 'self' [redacted]; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; object-src 'none';"
Erisa
Erisa7mo ago
If you have a page URL with the issue still I can probably have a look - there's a lot of things that error can be caused by, you have to go digging in the network logs to even begin working it out
GenChadT
GenChadTOP7mo ago
[redacted]
Erisa
Erisa7mo ago
the script loads fine when I disable ublock origin and firefox tracking protection
GenChadT
GenChadTOP7mo ago
Hmm. Weird :p
Erisa
Erisa7mo ago
but then the other call to send analytics fails instead: Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://cloudflareinsights.com/cdn-cgi/rum because it violates the following directive: “default-src 'self'” this one is because of your CSP header I guess you need cloudflareinsights.com as well as the static subdomain
GenChadT
GenChadTOP7mo ago
Haven't seen that one yet Going to try messing with my VPN some more I'll add cloudflareinsights.com to my header exceptions. I can live with an issue on my end that I have to figure out as long as it works for everyone else 😅
Erisa
Erisa7mo ago
if you have regular users you'll know its working when the analytics fill in with data :P the ones on that dash i linked specifically, the other site-level analytics are different
GenChadT
GenChadTOP7mo ago
True I'll play around with this some more and see what I get. Thanks again for the help! Figured out the issue. Portmaster was blocking the request 🤦‍♂️
Erisa
Erisa7mo ago
😅
GenChadT
GenChadTOP7mo ago
Portmaster's a great firewall but MAN it is a journey finding your way to sane defaults
Want results from more Discord servers?
Add your server