CSP with 'strict-dynamic' breaks many cloudflare services

I’ve been trying to use 'strict-dynamic' with Cloudflare rocket and email obfuscation. I have found that using strict-dynamic you need to use a nonce with all scripts. This causes scripts used by Cloudflare to be automatically blocked. Is there anyway to have rocket loader and email obfuscation work with 'strict-dynamic'

1 Like

How was it resolved? I couldn’t find any other solution except to reduce security by using the 'self' keyword: Content-Security-Policy: script-src-elem 'nonce-xxx' 'self'

You could try using the strict-dynamic CSP Cloudflare Worker I’ve made, I’m pretty sure is doesn’t have these issues:

I’ve also just written and article about the benefits of using this type of CSP: