Bot Fight Mode CSP with nonce not working

With Bot Fight Mode enabled I have followed the instructions here:

And added a Content-Security-Policy: script-src 'self' 'nonce-${random}' ...

However Cloudflare is not injecting this nonce into the <script> tag and the console shows:

Refused to execute inline script because it violates the following Content Security Policy directive

Viewing the page source shows no nonce attribute in the injected JS

<script>(function(){if (!document.body) return;var js = "window['__CF$cv$params']=

Can anyone see what is wrong? The error can be reproduced here:

Sorry to bump, but does anyone have any guidance? I was hoping maybe CF just took some time to notice the CSP but it has been almost a week now and it is still not working.

I have included a working testcase website so I am not sure what more I can offer.

Alternatively, anyone know of a website with Bot Fight Mode enabled which uses the nonce technique so I can look at the CSP and compare with it?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.