I’m attempting to display images using a JS lightbox script that changes inline styles. The images are being served by Cloudflare images with the content-security-policy set to content-security-policy: default-src ‘none’; navigate-to ‘none’; form-action ‘none’. As a result browsers are throwing the error “Refused to apply inline style because it violates the following Content Security Policy directive: “default-src ‘none’”. Either the ‘unsafe-inline’ keyword”. I’ve setup a custom worker to use a custom Cloudwave proxied domain to service the images and within the script attempt to update the CSP response header to “unsafe-inline” however it did not change the response header. I setup a dedicated worker to update the response header and added a route to the Cloudwave proxied domain and it still does not change the header. Does anyone know if what I’m trying to do is possible? I have a Cloudwave support ticket opened but figured I’d try the community in the meantime.
Can you share an example URL where this is causing problems? I do see the CSP header as you mention on Images like https://imagedelivery.net/Ot3aZdvuAOCHsbCy8bLk3A/8a601f38-70cc-4c8a-ec3e-59eec7327000/large, but this shouldn’t really have any impact on your site, and definitely shouldn’t cause your CSP to throw style related errors 
(post deleted by author)
(post deleted by author)
As a sanity check I tested serving images from the local webserver and an Amazon S3 bucket, and in both cases the lightbox script worked as expected. Upon inspection of the header response I noted the content-security-policy is not being set which further leads me to believe if there is a fix it’s a change that needs to be made on the Cloudflare side.
This topic was automatically closed after 14 days. New replies are no longer allowed.