Hash or nonce for inline script inject by cloudflare?

Hi, I think cloudflare is injecting an inline script (I think for ‘bot fight’?), which is fine, but I’d like to know how to allow it as an exception for CSP (Content Security Policy) header? I’m temporarily allowing inline scripts at the moment.

Or in general, maybe there’s a better way altogether to do this? Things like js challenges, etc…

1 Like

Off the top of my head, I’ve not seen Cloudflare inject inline Javascript, though if you’re using RocketLoader, it may be possible.

Do you know what the Javascript does? Or can you post a screenshot (or paste in the raw code as Preformatted Text)?

Hi @sdayman, thanks for your response.

Do you know what the Javascript does? Or can you post a screenshot (or paste in the raw code as Preformatted Text)?

Unfortunately, I didn’t save the script when I first noticed it, and now I’m not seeing it again.

However, I think I may have found a promising solution the Cloudflare Bots documentation has a page for “JavaScript detections” that it accomplishes by injecting some js:

invisible code injection that honors Cloudflare’s strict privacy standardsOpen external link. A small amount of JavaScript is injected into client devices using Google’s Picasso fingerprinting techniqueOpen external link. Picasso results are factored into bot scores and help Cloudflare classify traffic as automated or human.

Fortunately, they also mention a solution that is exactly what I was looking for with respect to CSP:

If you have a Content Security Policy (CSP):

  • Ensure that it does not block scripts served from /cdn-cgi/bm/ or requests made to /cdn-cgi/bm/results . Your CSP should allow scripts served from your origin domain ( script-src self ).
  • If your CSP uses a nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.

So, I’ll go ahead and try that. If I notice any stray JS I’ll know for sure if it’s not from cloudflare (and I’ll make sure to copy it next time). If I don’t see anything though, I think it’ll be safe to close this out after a few days have passed. Thanks again for the help.

1 Like

That’s not consistent with what you saw. Their two solutions say:

  1. It’s not injected into your script, but it’s a separate URL that needs to be permitted. But since it’s from your own domain, you should have already allowed that.
  2. If it’s inline, then it would include a nonce. Unless I’m reading that wrong and your CSP allows for a specific nonce and Cloudflare will include that specific nonce as part of the injected script.
  1. It’s not injected into your script, but it’s a separate URL that needs to be permitted. But since it’s from your own domain, you should have already allowed that.

That’s true, the scripts that were being injected were definitely inline. I’ll continue to keep an eye out.

1 Like

After taking unsafe-inline back out of my CSP, I now see the following error:

Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ does not appear in the script-src directive of the Content Security Policy.

And then script, after beautifying, it’s referring to is:

<script type="text/javascript">
(function() {
    window['__CF$cv$params'] = {
        r: '6978a5cfe8c267a2',
        m: 'SRfux7YaHOtNjDkKp6wVszJWXeZbCSIyPd2SmPbargQ-1633122311-0-ARA4d9m5Jp+ISNkfokdLY3lOtV62x8Co4jhih7NJ48bWHV1jIWk1wAasefWtaoaUjIgb9ctzJVdv2vwU5ML9hiJbyDMqt0n8p670VKFX5qmzyHp468ObzwPp2EATeYYoow==',
        s: [0x12c00fe9b7, 0x64a2136e9e],
        u: '/cdn-cgi/challenge-platform/h/g'
    }
})();
</script>

So Just wanted to follow up and say that it was the due to the “Bot Fight Mode” after all. I disabled that setting, error messages went away in the console. To solve this issue, you need to follow the documentation here, and use a nonce in your CSP headers

  • If your CSP uses a nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.