Challenges.cloudflare.com api.js rewritten to proxy through opendns.com breaks CSP

What is the name of the domain?

example.com

What is the issue you’re encountering

Content Security Policy script-src doesn’t match rewritten URL for api.js

What steps have you taken to resolve the issue?

Trying to determine if Cisco Umbrella is rewriting the api.js url

What are the steps to reproduce the issue?

User was not able to pass the Turnstile check because the URL for the api.js was rewritten to:

https://challenges.cloudflare.com.x..id.opendns.com/s/challenges.cloudflare.com/turnstile/v0/api.js?X-OpenDNS-Session=__render=explicit

This doesn’t match the Content Security Policy script-src https://challenges.cloudflare.com we are (currently) using.

Any idea why opendns.com is rewriting this url?

Not really, I’m afraid it’s likely something only the owners of said product could answer.

1 Like

For posterity…

I sent a message to the Cisco Umbrella support asking them about challenges.cloudflare.com and the URL rewrite.

They responded with good information including:
“Currently we no longer see the domain of challenges.cloudflare.com on our Grey List as it as been removed due to the blocked URL being a false positive. Moving forward you should not see the domain being rewritten.”