(Also posted this on the Discord, but have yet to see an answer so I thought I’d try here, too. If I get an answer on either, will indicate that and close each accordingly.)
In my CF Pages site repo, I use a CF Worker (through
functions/middleware.js) for, among other things, providing a Content Security Policy. One part of that CSP requires using a nonce to allow
style statements, so — also with the Worker — I inject a nonce into any
style statements that I must use for whatever reason. I’m now testing Cloudflare Fonts and see that my CSP is rejecting the
style statements CF Fonts sets up because that nonce isn’t getting injected, presumably because the CF Fonts stuff happens after the Worker runs. Am I correct in assuming that this order can’t be changed? And, if that’s the case, is my only option to add
unsafe-inline and be done with it?