CSP nonce in Zaraz

HI there,

when using zarazar web.dev/measur display browser error and those errors related to zarazar trying to use unsafe inline code why can’t Cloudflare make zaraz use nonce with strict dynamic instead of trying to use unsafe inline thanks

Hello Cloudflare

Do you have any plans to address the Zaraz browser issues? You have the NONCE, but it is attempting to use unsafe settings that are not compatible with a secure CSP. The blunder I perceive is as follows:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:

Please specify whether zaraz may be used properly or whether it must be abandoned in order to use safe CSP. If I have to choose between zaraz and CSP, I’ll go with CSP, however it would be fantastic if you could fix the zaraz unsafe issue.


I know Cloudflare have some damage control to do after downtime. So without being annoying i would like to push for an answer to if i can use zaraz safely with CSP or i have to abandon it if i want to avoid using unsafe-eval Thanks

Is there no one else using CSP and ZARAZ?