CSP nonce in Zaraz

HI there,

when using zarazar web.dev/measur display browser error and those errors related to zarazar trying to use unsafe inline code why can’t Cloudflare make zaraz use nonce with strict dynamic instead of trying to use unsafe inline thanks

Hello Cloudflare

Do you have any plans to address the Zaraz browser issues? You have the NONCE, but it is attempting to use unsafe settings that are not compatible with a secure CSP. The blunder I perceive is as follows:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:

Please specify whether zaraz may be used properly or whether it must be abandoned in order to use safe CSP. If I have to choose between zaraz and CSP, I’ll go with CSP, however it would be fantastic if you could fix the zaraz unsafe issue.


I know Cloudflare have some damage control to do after downtime. So without being annoying i would like to push for an answer to if i can use zaraz safely with CSP or i have to abandon it if i want to avoid using unsafe-eval Thanks

Is there no one else using CSP and ZARAZ?

Hey @kepona2732 ! We’re currently not looking into using strict-dynamic. Our main focus is to completely stop using eval, so it will not be needed. This will hopefully happen very soon. Until then, enabling unsafe-eval is the only support way to fully use Zaraz.

1 Like

Hi @yoav_zaraz

Thanks for the update, but i wonder Cloudflare which is a company selling security and all the bla bla using shitty unsecure features which restrict us to make site secure.

This is my frustrating feedback and disapointment at Cloudflare. But thank you very much for taking the time to inform me