I was testing the transform rules to set headers instead of using the origin and ran into an issue. When it is set in Transform rules > Modify response header it causes the managed challenge to fail as it can’t load the needed scripts.
My CSP is as follows:
default-src ‘self’; style-src ‘self’ ‘unsafe-inline’; frame-ancestors ‘none’; form-action ‘none’; upgrade-insecure-requests; block-all-mixed-content; base-uri ‘self’
If they all came from the /cdn-cgi/ or an external domain it could easily be allowlisted in the CSP but it appears to be using inline scripts. I would accept using a nonce in the policy except there was no way under the transform rules I could see to have it generate a new one per request.
What is the best way to do this? I don’t want to use unsafe-inline for script-src as it defeats many of the protections the CSP offers. My current fix is just sending the CSP from the origin as that doesn’t get sent til after the managed challenge is completed.