Bot fighter should not inject code when it sees the CSP header will not permit it to run.
We have some pages where we want full bot fighting. And we have other pages guarded by password where bot fighting is superfluous, and CSP is critical. We do not want to expand the CSP to include CF. CF should parse the header and determine whether to inject the JS or not, based on whether it sees its domain on the allow list.