I’m trying to apply a Content Security Policy to my site but I can’t get this to work with Rocket Loader. I followed the steps mentioned on this page https://support.cloudflare.com/hc/en-us/articles/216537517-What-is-Content-Security-Policy-CSP-and-how-can-I-use-it-with-Cloudflare- by adding script-src ‘self’ ajax.cloudflare.com; to the meta tag but it still gets blocked as Rocket Loader appears to be adding in its own inline script.
Normally you would add a unique hash value to the script and add this into the allowlist but this doesn’t appear to be possible as the inline script is being added into my page afterwards.
Is there any way around this? Disabling Rocket Loader isn’t really an option here and adding ‘unsafe-inline’ rather defeats the purpose of it all.