BUG Speed Brain: Script injection applied even if disabled

What is the name of the domain?

leomercier.blog

What is the issue you’re encountering

The speculation script injection is still occuring even after disabling the Speed Brain feature from the dashboard. It results in a Content Security Policy error on my side. I don’t have any use for this feature because of the nature of my website. Is there any way to fix this?

To complete this post, a temporary workaround is to create a transform rule to remove the “Speculation-Rules” header. Credits: https://community.cloudflare.com/t/cdn-cgi-speculation-applies-even-if-disabled/714033/8.

Thanks for reporting this @le1112osee,

We already identified the issue and are working on a fix, which should be released in the next few days.

Regarding the CORS issue, you can indeed use Transform Rules. Another alternative would be to add script-src 'self' /cdn-cgi/speculation to your Content-Security-Policy header. But this solution is probably not useful for you, since you want to disable Speed Brain entirely, and that Speculation-Rules header shouldn’t be there in the first place. Again, we are actively working on it. I’ll keep you posted.

2 Likes

Thank you for your answer, is there any news on the fix being released?