This problem has been mentioned a few times, but there isn’t any resolution mentioned before the issues are automatically closed.
The Super Bot Fight Mode injects inline scripts into pages which causes CSP errors. Google recommends against inline scripts in general here:
If you must have inline script and style, you can enable it by adding
'unsafe-inline'as an allowed source in ascript-srcorstyle-srcdirective. You can also use a nonce or a hash (see below), but you really shouldn’t. Banning inline script is the biggest security win CSP provides, and banning inline style likewise hardens your application. It’s a little bit of effort up front to ensure that things work correctly after moving all the code out-of-line, but that’s a tradeoff that’s well worth making.
Is there a way that Cloudflare could move that inline code into an external file so that we don’t have to turn off CSP protection in order to block bots?
Here’s a related discussion: CF-Injected Inline JavaScript Conflicts with Content-Security-Policy
Edit: I found the CSP information on this page, but the CSP errors still appear on my site along with this message:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). Source: (function(){var js = "window[‘__CF$cv$params’]= …
…
None of the “sha512” hashes in the integrity attribute match the content of the subresource.
A private Safari window just prints out this error:
Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ does not appear in the script-src directive of the Content Security Policy.
I’m using Discourse, and both of these are in the content security policy script src settings, though I think only the first one is needed:
https://forum.example.com/cdn-cgi/
https://forum.example.com/cdn-cgi/challenge-platform/