Cloudflare Causing Console Errors

Half of my page loads are filled with console errors thanks to scripts injected by Cloudflare:

invisible.js:1 [Report Only] Refused to create a worker from ‘https://example.com/cdn-cgi/challenge-platform/h/b/scripts/pica.js’ because it violates the following Content Security Policy directive: “worker-src ‘none’”.

c. @ invisible.js:1
(anonymous) @ invisible.js:1
(anonymous) @ invisible.js:1
example.com/:1 [Report Only] Refused to create a worker from ‘https://example.com/cdn-cgi/challenge-platform/h/b/scripts/pica.js’ because it violates the following Content Security Policy directive: “worker-src ‘none’”.

invisible.js:1 POST about:blank net::ERR_UNKNOWN_URL_SCHEME
c. @ invisible.js:1
(anonymous) @ invisible.js:1
(anonymous) @ invisible.js:1
example.com/:1 POST about:blank net::ERR_UNKNOWN_URL_SCHEME
invisible.js:1 [Deprecation] ‘window.webkitStorageInfo’ is deprecated. Please use ‘navigator.webkitTemporaryStorage’ or ‘navigator.webkitPersistentStorage’ instead.
g @ invisible.js:1
h @ invisible.js:1
i @ invisible.js:1
j @ invisible.js:1
q. @ invisible.js:1
w.fACnf @ invisible.js:1
u. @ invisible.js:1

1 Like

Interesting…I’ve never used worker-src in my CSPs. And now I’m curious as to what “challenge-platform” is.

Have you changed any Firewall settings here? (bot fight modes, Firewall Rules) Or have you added any Apps from Dashboard → Apps?

I suppose the contents of that pica.js might offer a clue. I skimmed it, but nothing jumps out at me. I’ve not seen that resource in any of my sites. Maybe an @MVP has seen this resource.

I don’t use any apps. The apps are hilariously out of date.

I do use Bot Fight Mode (regular one). I haven’t had any issues, so if it is the cause, they must have changed something recently. I’ll disable it and see if it makes a difference. I have also looked at pica.js and invisible.js but have no idea what they do or relate to.

This issue started within the last two weeks.

From what I can find “pica” is a image resize library, this could be unrelated but worth a check. Do you have Polish enabled?

Not sure why it would be under challenge-platform but worth a shot

Thanks for the reply. I don’t have Polish enabled. I did disable Privacy Pass Support and Bot Fight Mode and the scripts aren’t loading any more. Not sure which of the two caused it, but it’s one of them.

1 Like

I guess the solution is to either disable that Cloudflare feature, or add ‘self’ to worker-src.

1 Like

I have similar issues with this pica.js in combination with COEP:

Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE
https://example.com/cdn-cgi/challenge-platform/h/g/scripts/pica.js

With a detailed explanation of this:

Specify a Cross-Origin Embedder Policy to prevent this frame from being blocked

Because your site has the Cross-Origin Embedder Policy (COEP) enabled, each embedded iframe must also specify this policy. This behavior protects private data from being exposed to untrusted third party sites.

To solve this, add the following to the embedded frame’s HTML response header: Cross-Origin-Embedder-Policy: require-corp

Affected Resources:
1 request
pica.js

I can confirm that this did recently starting to happen, my page is running for months with COEP enabled and without any issues or console warnings. Seems that something has changed on Cloudflare side recently.

Any news on that?

None that I’m familiar with. Doesn’t seem possible to get support from Cloudflare on the free tier. I understand they probably have a billion support requests, so it is what it is.

The only option is to try what was already suggested or disable Bot Fight Mode which causes it.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.