Rocket Loader CSP issue

What is the name of the domain?

What is the issue you’re encountering

Rocket Loader inline scripts are blocked by CSP

What steps have you taken to resolve the issue?

I’ve added ajax.cloudflare.com to the script sources of my Helmet settings, as per instructions here: Content Security Policies (CSPs) and Cloudflare. This made no difference.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

May I ask what is the error shown in the console?

How about using nonce and adding it/modifying via Worker oncall for the request? Despite, Rocket Loader hashes might change so, hm. Tricky a bit :thinking:

Otherwise, disabling Rocket Loader if you prefer to have CSP therefrom you won’t have to use the unsafe-inline.

Content-Security-Policy: default-src 'self'; script-src 'nonce-hash'
<script type="text/javascript" nonce="hash">

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src ‘self’ https://www.google.com ajax.cloudflare.com ‘nonce-q***==’ ‘nonce-e4’". Either the ‘unsafe-inline’ keyword, a hash ('sha256-N0=’), or a nonce (‘nonce-…’) is required to enable inline execution.

I get the above error. All the scripts in my own code indeed use a nonce and work fine with inline scripts. But since Rocket Loader gets inserted by Cloudflare, it’s not present in my own code and therefore I don’t think I can add a nonce to that script (or can I?).

I could off course disable Rocket Loader through the Cloudflare Dashboard, but is that indeed the envisioned behavior: not use Cloudflare’s rocket loader if you want to use SCP…?