Cloudflare is currently injecting inline JavaScript (just before the closing body tag) into my pages, with is blocked by my Content-Security-Policy, resulting in many console and Report-URI errors.
The JS is as follows: <script type="text/javascript">(function(){window['__CF$cv$params']={r:'xxxxx',m:'xxxxx-xxxxx-xxxxx-xxxxx==',s:[xxxxx,xxxxx],}})();</script>
Is one of my Cloudflare settings causing this, or is this injected by Cloudflare for all customers? I know it’s not the email obfuscation decoding script, as that is in there separately, and served as a file.
To avoid lowering my Content-Security-Policy and allowing inline JavaScript, I’d like to either turn this off or have it in a served file. Or whatever the case, there must be a better way of handling this.
Security is set to Medium, and we have the CF WAF on, along with the CF Miscellaneous and CF Specials managed rules on. Bot Fight Mode is also on, under Firewall > Tools.
I may be wrong, but as far as I know, this inline JS only showed up fairly recently - I keep an eye on our CSP logs.
Thank you, turning off Bot Fight Mode removed the inline JS.
Bit of a shame I have to choose between the discouragement of bots and not violating a strict Content-Security-Policy. Could Cloudflare serve this differently, so as to not violate CSP?