Tincan
Explore posts from serversI'm using nuxt-security but Cloudflare seems to ignoreing or overwriting it
@kapa.ai when i use "<script setup lang="ts">
// useNonce is not provided by @nuxt/image but might be
// provided by another module, for example nuxt-security
const nonce = useNonce()
</script>" I get "Cannot find name 'useNonce'". Shouldnt it already be available if im using nuxt-security
70 replies
I'm using nuxt-security but Cloudflare seems to ignoreing or overwriting it
@kapa.ai so its not an issue that would stop the site from being generated/loaded in browser? Does the same apply to the following
Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://127.0.0.1:8788/_nuxt/WnayIPFD.js from being executed because it violates the following directive: “script-src 'self' https://player.vimeo.com https://www.googletagmanager.com https://cdn.jsdelivr.net/npm/chart.js https://static.cloudflareinsights.com/beacon.min.js/ 'strict-dynamic' http://ajax.cloudflare.com 'nonce-e50da63ea6db2d9339e6c73d0aa494f8' http://ff.kis.v2.scr.kaspersky-labs.com ws://ff.kis.v2.scr.kaspersky-labs.com” 127.0.0.1:8788
Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' https://player.vimeo.com https://www.googletagmanager.com https://cdn.jsdelivr.net/npm/chart.js https://static.cloudflareinsights.com/beacon.min.js/ 'strict-dynamic' http://ajax.cloudflare.com 'nonce-e50da63ea6db2d9339e6c73d0aa494f8' http://ff.kis.v2.scr.kaspersky-labs.com ws://ff.kis.v2.scr.kaspersky-labs.com” 127.0.0.1:8788:35:9
None of the “sha384” hashes in the integrity attribute match the content of the subresource at “http://127.0.0.1:8788/_nuxt/WnayIPFD.js”. The computed hash is “OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb”.
70 replies
I'm using nuxt-security but Cloudflare seems to ignoreing or overwriting it
@kapa.ai what about when antivirus blocks things eg
Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://ff.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js?attr=8kbcs6l3CiCzz8t2LXpEmsu3pCP5bwNF0agdJL8c7_KoBHzRLKeEJMqFTOXknv-Y from being executed because it violates the following directive: “script-src http://ff.kis.v2.scr.kaspersky-labs.com ws://ff.kis.v2.scr.kaspersky-labs.com https://player.vimeo.com https://www.googletagmanager.com https://cdn.jsdelivr.net/npm/chart.js https://static.cloudflareinsights.com/beacon.min.js/ 'self' 'strict-dynamic' 'sha256-iI7pxds699kE3jKC0r7POjf2ohIRYoUQ9TKip9gun8c=' 'sha256-htlewAKbtuwB0scGZ96GdU03NjFewLt451c2e+psH3U=' 'sha256-FeCIeJAJ+uc5r8SCcondxxdDjoMjIOPUQLvmNNjuHbI=' 'sha384-grva2rtmxP+Z9JWDFDJYG/kOnWm0zrEe98neEIfATgd9CzduNGj14hgfrLagNHB5'”
70 replies
I'm using nuxt-security but Cloudflare seems to ignoreing or overwriting it
@kapa.ai ok i checked and the three things are already disabled in CF settingsSpeed > Optimization > Content Optimization > Disable "Rocket Loader™"
Speed > Optimization > Image Optimization > Disable "Mirage"
Scrape Shield > Disable "Email Address Obfuscation"
70 replies
I'm using nuxt-security but Cloudflare seems to ignoreing or overwriting it
@kapa.ai nuxt-security docs do say disable rocket loader, but cloudflare docs say "Using a CSP with Cloudflare
Cloudflare’s CDN is compatible with CSP.
Cloudflare does not:
Modify CSP headers from the origin web server (except when using Zaraz, to ensure the Zaraz script is always running ↗).
Require changes to acceptable sources for first or third-party content.
Modify URLs (besides adding the /cdn-cgi/ endpoint and Cloudflare Fonts that rewrites Google Fonts urls).
Interfere with locations specified in your CSP.
If you require the CSP headers to be changed or added, you can change them using some Cloudflare products:
If your website is proxied through Cloudflare, you can use a Response Header Modification rule to replace or add CSP headers.
If your website is hosted using Cloudflare Pages, you can set a _headers file to modify or add CSP headers.
Product requirements
To use certain Cloudflare features, however, you may need to update the headers in your CSP:
Feature(s) Updated headers
Rocket Loader, Mirage script-src 'self' ajax.cloudflare.com;
Cloudflare Apps ↗, Scrape Shield script-src 'self' 'unsafe-inline'
Web Analytics script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com
Bot products Refer to JavaScript detections and CSPs.
Page Shield Refer to Page Shield CSP Header format.
Zaraz No updates required (details ↗).
Turnstile Refer to Turnstile CSP."
70 replies