rikhall
rikhall
Explore posts from servers
KPCKevin Powell - CommunityCDCloudflare Developers
PostsComments
CDCloudflare Developers
Created by rikhall on 8/31/2023 in #general-help
How to troubleshoot account analytics errors?
No description
1 replies
CDCloudflare Developers
Created by rikhall on 8/22/2023 in #general-help
CSP strict-dynamic with nonce still blocking the script email-decode.min.js
How can I achieve the goal of a secure CSP while at the same time allowing for this script to run? 
  const csp = [
    `upgrade-insecure-requests`,
    `default-src 'self'`,
    `font-src 'self'`,
    `img-src 'self' data: https: blob:`,
    `script-src 'self' 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'`,
    `style-src 'self' 'unsafe-inline'`,
    `frame-src 'self' 'nonce-${nonce}'`,
    `object-src 'none'`,
    `base-uri 'self'`,
  ];
  const csp = [
    `upgrade-insecure-requests`,
    `default-src 'self'`,
    `font-src 'self'`,
    `img-src 'self' data: https: blob:`,
    `script-src 'self' 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'`,
    `style-src 'self' 'unsafe-inline'`,
    `frame-src 'self' 'nonce-${nonce}'`,
    `object-src 'none'`,
    `base-uri 'self'`,
  ];
This was the CSP header I was using at the time, and it worked with all other cloudflare related scripts except for specifically email-decode.min.js. It's weird too because it says that the url of the script is from mydomain.com/cdn-cgi/... Shouldn't that mean it works because the origin domain is still the same as self? Why is this happening?
1 replies