The speculation script injection is still occuring even after disabling the Speed Brain feature from the dashboard. It results in a Content Security Policy error on my side. I don’t have any use for this feature because of the nature of my website. Is there any way to fix this?
We already identified the issue and are working on a fix, which should be released in the next few days.
Regarding the CORS issue, you can indeed use Transform Rules. Another alternative would be to add script-src 'self' /cdn-cgi/speculation to your Content-Security-Policy header. But this solution is probably not useful for you, since you want to disable Speed Brain entirely, and that Speculation-Rules header shouldn’t be there in the first place. Again, we are actively working on it. I’ll keep you posted.