Hi @sdayman, thanks for your response.
Unfortunately, I didn’t save the script when I first noticed it, and now I’m not seeing it again.
Fortunately, they also mention a solution that is exactly what I was looking for with respect to CSP:
If you have a Content Security Policy (CSP):
- Ensure that it does not block scripts served from
/cdn-cgi/bm/ or requests made to
/cdn-cgi/bm/results . Your CSP should allow scripts served from your origin domain (
script-src self ).
- If your CSP uses a
nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
So, I’ll go ahead and try that. If I notice any stray JS I’ll know for sure if it’s not from cloudflare (and I’ll make sure to copy it next time). If I don’t see anything though, I think it’ll be safe to close this out after a few days have passed. Thanks again for the help.