Beacon.min.js blocked by CORS

Our site is proxied by CF and Web Analytics are in Automatic setup.
But it looks, that integration is not correct, because of errors in JS Console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194. (Reason: CORS request did not succeed). Status code: (null).

None of the “sha512” hashes in the integrity attribute match the content of the subresource.

Script is embeded in site through:
<script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"6cf2bdd49f6ecbb4","version":"2021.12.0","r":1,"token":"4ba37d364c2f4ecf8744c02168321e3d","si":100}' crossorigin="anonymous"></script>

Can you please provide us with a URL that throws that error?

I quickly checked the SRI Hash:

$ curl -Ls https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194 | openssl dgst -sha512 -binary | openssl base64 -A
Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==

The hash itself is valid and correct. And since crossorigin="anonymous" is set, I dont see an obvious reason for the integrity check to fail.
If you can provide us with an URL we can look into this.

You can check if your browser fully supports subressource integrity here: https://w3c-test.org/subresource-integrity/subresource-integrity.html

I developed a little tool for this and future usecases like this.

Feel free to test it and validate SRI Hashes against the output of the tool:

HERE you go: https://sri.hotmann.de/

not beautiful but should do the job.

You can check it on this site:

As you wrote, hash looks correct.
My browser is: FF 95.0.2

For me, the script is loading correct:
image
Also nothing in the console about any of the above mentioned errors.

Can you quickly try Chrome as a browser and see if the error also occurs in chromium based browser?

FF 96.0.1 - same problem
EDGE 97.0.1072.62 - OK
Chrome 97.0.4692.71 - OK

FF:

That clearly indicates a FF problem. I would like to ask you, to disable all Plugins, maybe even reinstall.

I will quickly test from my FF, then I report back.

EDIT:

for me its working on FF v96.0.1


Seems like a local problem. I would recommend reinstalling. But definitely not an Cloudflare problem/error.

I will do some further investigation, but for now, I can confirm that this problem occurs on both of my computers.

I have same problem on Pleroma.

The url is SARAMARA

It is not the same problem. Also, this problem is not related to Cloudflare at all, since Cloudflare does not modify your CSP by default.

To fix your problem, please inform yourself about CSP and how to set/change it on your application. I don’t know anything about Pleroma, but your CSP atm is:

content-security-policy: upgrade-insecure-requests;script-src 'self';connect-src 'self' blob: https://easy.saramara.ai wss://easy.saramara.ai;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src 'self';

Please modify it (add “*.cloudflareinsights.com” to script-src) so it becomes:

content-security-policy: upgrade-insecure-requests; script-src 'self' *.cloudflareinsights.com; connect-src 'self' blob: https://easy.saramara.ai wss://easy.saramara.ai;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src 'self';

this will allow the browser of your visitors to load scripts from Cloudflare, like the script you want to include. Please keep in mind, this problem does not come from Cloudflare, but from your misconfigured CSP.

Next time, please use a seperate thread for a seperate problem, or research the problem with the searchfunction :slight_smile:

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.