CF-Injected Inline JavaScript Conflicts with Content-Security-Policy

Hi all

Cloudflare is currently injecting inline JavaScript (just before the closing body tag) into my pages, with is blocked by my Content-Security-Policy, resulting in many console and Report-URI errors.

The JS is as follows:
<script type="text/javascript">(function(){window['__CF$cv$params']={r:'xxxxx',m:'xxxxx-xxxxx-xxxxx-xxxxx==',s:[xxxxx,xxxxx],}})();</script>

Is one of my Cloudflare settings causing this, or is this injected by Cloudflare for all customers? I know it’s not the email obfuscation decoding script, as that is in there separately, and served as a file.

To avoid lowering my Content-Security-Policy and allowing inline JavaScript, I’d like to either turn this off or have it in a served file. Or whatever the case, there must be a better way of handling this.

Which Cloudflare plan are you using?
Any Bot management or Firewall, or Security thing enabled?

The site is on the Pro plan.

Security is set to Medium, and we have the CF WAF on, along with the CF Miscellaneous and CF Specials managed rules on. Bot Fight Mode is also on, under Firewall > Tools.

I may be wrong, but as far as I know, this inline JS only showed up fairly recently - I keep an eye on our CSP logs.

This has come up many times:
https://community.cloudflare.com/search?q=__CF$cv$params

1 Like

Thank you, turning off Bot Fight Mode removed the inline JS.

Bit of a shame I have to choose between the discouragement of bots and not violating a strict Content-Security-Policy. Could Cloudflare serve this differently, so as to not violate CSP?

This topic was automatically closed after 30 days. New replies are no longer allowed.