CSP, RocketLoader and Nginx?

So I’m trying to avoid using (another) page rule to disable Rocketloader for one of my subdomains, since we can’t use a RegEx to select multiple specific subdomains under a single page rule, and only get 3 page rules for free accounts.

According to this page:


I can just add a header to the domain to allow scripts from CloudFlare:

add_header Content-Security-Policy "script-src 'self' ajax.cloudflare.com;";

I did so in the Nginx config for that subdomain (it’s a Chronograph container actually), restarted Nginx, tested to make sure it “took”, which it did:

But then when I try to load the domain, it won’t load, and the inspector shows this:

Not being super familiar with this, does anyone know where I screwed it up?


Probably you can try purge the cache and try again.

Thanks for the fast reply; I just did a CF purge as well as a browser cache purge and same result unfortunately.

Without the actual URL, it’s difficult to test, but CSP should be pretty straightforward. Your browser says the CSP it’s reading doesn’t include the ‘ajax’ part, yet ReportURI shows it.

But if the resource that’s calling that ajax script doesn’t have the appropriate CSP, I think it’s going to fail. I could be wrong, and I can’t find a suitable example in my own sites.

@sdayman If you want to take a sec for a closer look I’ll be happy to dm you my domain via your twitter (since I don’t see a way to msg on here). I just don’t want to blast the URL right here out in the open, just to prevent potential haxz0rs hammering it sometime down the road, lol.

Turns out the issue was that this specific container/site was sending multiple CSP headers that were conflicting with each other, or more specifically the container/site had a built-in CSP header already, and when I tried to add mine, it ended up in multiples, so I had to remove the original one and make sure only the one I needed was being used.

Here’s a reference to the solution: cloudflare - CSP, RocketLoader and Nginx? - Stack Overflow

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.