rikhall
rikhall
Explore posts from servers
KPCKevin Powell - Community
Created by rikhall on 9/8/2023 in #ui-ux
UX: Login/Sign in modal for scripts turned on, separate page for when turned off
No description
2 replies
CDCloudflare Developers
Created by rikhall on 8/31/2023 in #general-help
How to troubleshoot account analytics errors?
No description
1 replies
CDCloudflare Developers
Created by rikhall on 8/22/2023 in #general-help
CSP strict-dynamic with nonce still blocking the script email-decode.min.js
How can I achieve the goal of a secure CSP while at the same time allowing for this script to run?
const csp = [
`upgrade-insecure-requests`,
`default-src 'self'`,
`font-src 'self'`,
`img-src 'self' data: https: blob:`,
`script-src 'self' 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'`,
`style-src 'self' 'unsafe-inline'`,
`frame-src 'self' 'nonce-${nonce}'`,
`object-src 'none'`,
`base-uri 'self'`,
];
const csp = [
`upgrade-insecure-requests`,
`default-src 'self'`,
`font-src 'self'`,
`img-src 'self' data: https: blob:`,
`script-src 'self' 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'`,
`style-src 'self' 'unsafe-inline'`,
`frame-src 'self' 'nonce-${nonce}'`,
`object-src 'none'`,
`base-uri 'self'`,
];
This was the CSP header I was using at the time, and it worked with all other cloudflare related scripts except for specifically email-decode.min.js. It's weird too because it says that the url of the script is from mydomain.com/cdn-cgi/... Shouldn't that mean it works because the origin domain is still the same as self? Why is this happening?
1 replies