Hi, Cloudflare is still injecting the JS for a cloudflare app into my site, even though I have uninstalled the app. At first this was the Google Analytics app, but then I installed (and a bit later, uninstalled) a random background app, and now its continuing to load that app instead, and stopped trying to load the Google Analytics app. I’ve also cleared the cache for the whole site, which didn’t affect it, along with sending in a support ticket, tho they stopped replying to me once I sent in my HAR file (I haven’t had a reply since October 18th, even through I bumped the ticket a few days ago). Due to Cloudflare injecting the JS, I’m also getting spammed with CSP reports, which also emails me, and I’d rather not have to drop Cloudflare.
Whats the domain and the ticket number?
oh whoops sorry, I didn’t get a notification that you replied. The ticket number is 1769913 and the domain is flightzero.cf
I assumed you installed https://www.cloudflare.com/apps/random-background, right?
You said you cleared the cache. Did you mean the cache on Cloudflare? Can you try again?
Also, are you sure https://dash.cloudflare.com/redirect?zone=apps/installed-apps does not list any application any more?
Yeah, thats the app I installed. Yeah I cleared the cache on cloudflare, and I tried again, but still no luck. And yes, the installed apps page no longer lists the random background app.
In that case I am afraid you’ll have to wait for support.
I see the ticket and the issue, sorry for the issues & delay. I’ve added myself to the ticket and see what I can find out.
Ah yeah, I saw the email in my indox and tried the suggestion of reinstalling and then uninstalling both apps, but the JS is still being injected. I also tried waiting a bit and clearing the cache, but that didn’t help either.
I am afraid you will have to get back to support and respond that the issue hasnt been fixed by the way they suggested.
I did, I responded both here and in the ticket.
hm, after unminifying the JS that cloudflare is injecting (https://hastebin.com/orasolunip.js) it looks like it wasn’t due to the app not being uninstalled, it was due to cloudflare always injecting the JS when theres any app installed, despite it not doing this before, so having the logflare app installed, which doesn’t even interact with the page directly, and instead uses a worker, is causing the JS to be injected.
I can confirm … my test site (nginx only) is serving Cloudflare JS also.
Only Logflare is installed.
@cloonan is cloudflare still injecting JS even tho there are no user facing apps installed intended, or is it a bug?
I’m having the same issue.
I only have Logflare like @chasers
From Cloudflare support:
I have contacted our engineering team regarding your enquiry. They came back to me telling that it looks the JS is injected by default if an app is installed, even if it’s only a Workers app.
The project is currently in maintenance mode so we probably won’t be addressing this given the script is small and innocuous.
yes, it is not possible to remove the injected .js script even if you put off the yellow cloudflare cloud in the dns settings. You have to go away from cloudflare to not have the script injected.
Dear cloudflare team, this might even be a good topic for a PR issue. In some countries it is by law not allowed to inject scripts into pages for legal reason. Think for example government organisations and their internal web sites.