Allow tighter Content-Security-Compliance on apps injection?

Are there any plans to allow sites to retain ‘tight’ (ish) CSP when using these injected app? The couple I quickly looked at just added inline js with tags. It would be nice if they were instead loaded from a dedicated Cloudflare ‘apps’ subdomain which one could whitelist in the CSP ‘script-src’ but I realise this would be a major architectural change! An alternative may be to include a nonce value in the tag which the webmaster could provide to you by way of a new header, such as X-Cf-nonce? That is to say that the site-generated nonce be included in both the page’s CSP and returned in a header such that the injected app could use it to maintain compliance.

As you know unsafe-inline and eval are being frowned upon these days in security checks but appear presently mandatory for your apps without some kind of change. Adding a nonce would seem most logical, I guess.

EDIT: Actually I was looking in preview, in live mode things look better installed but there’s a bit of ‘data’.

Hi Saul, I’m a member of the App’s team here at Cloudflare and should be able to answer your question.

There are many apps like Welcome Bar or Cover Message which don’t load any external resources at all. Since we host your Cloudflare Apps on the same domain as your site, they shouldn’t require any modification to your CSP.

There are other apps though like Privy or YouTube which interact with third-party services and therefore would need to be whitelisted in your CSP. We are working on ways of both making your CSP comply with the apps you install, and with allowing apps to include resources in such a way that they don’t violate your CSP, but I don’t have a word yet on when either solution will be available. If you have any other thoughts on it, we’re very interested.


I like the idea of adding the nonce property, even for the inline scripts, which are injected by CF.

@zack I also think that adding a nonce property is totally necessary for scripts injected by Cloudflare (i.e. Rocket Loader, Scrape Shield etc.). It really is the only viable way to use those features whilst still having a sufficiently strong script-src CSP. Surely this would be as simple as getting the existing nonce value from the CSP and applying it to the injected script tags…?

We’re seeing a stylesheet that would be blocked with our CSP from the Better Browser Cloudflare app. It’s injecting as data:text/css;charset=utf-8;base64,Y2xv.... Is there a way to include this in our CSP without dangerously including all data:text/css injections?