(Also posted this on the Discord, but have yet to see an answer so I thought I’d try here, too. If I get an answer on either, will indicate that and close each accordingly.)
In my CF Pages site repo, I use a CF Worker (through functions/middleware.js) for, among other things, providing a Content Security Policy. One part of that CSP requires using a nonce to allow style statements, so — also with the Worker — I inject a nonce into any style statements that I must use for whatever reason. I’m now testing Cloudflare Fonts and see that my CSP is rejecting the style statements CF Fonts sets up because that nonce isn’t getting injected, presumably because the CF Fonts stuff happens after the Worker runs. Am I correct in assuming that this order can’t be changed? And, if that’s the case, is my only option to add unsafe-inline and be done with it?