When using Turnstile with a CSP header with the domains whitelisted, the browser gives an error on the console of:
Refused to execute inline script because it violates the following Content Security Policy directive: ...
Either the 'unsafe-inline' keyword, a hash ('sha256-6wRdeNJzEHNIsDAMAdKbdVLWIqu8b6+Bs+xVNZqplQw='), or a nonce ('nonce-...') is required to enable inline execution.
My Content-Security-Policy header consists of script-src 'self' https://challenges.cloudflare.com; frame-src https://challenges.cloudflare.com; default-src 'self'; object-src 'none'; frame-ancestors 'self'
According to https://developers.cloudflare.com/turnstile/frequently-asked-questions/ we can either use a nonce or whitelist the domains.
I chose not to use a nonce-based method because my app is an angular client side rendered app and there isn’t a standard approach for nonce yet.
So do you think we are OK to just ignore the inline script violation reported by the browser, or should the Turnstile FAQ say that if you’re using CSP, nonce is required?
I will say that the challenge still appears to complete OK with the inline script error. I’m just concerned that it will increase the false positive rate as our solve rate is only 85% so far.