Set content-security-policy for Cloudflare Images

I’m attempting to display images using a JS lightbox script that changes inline styles. The images are being served by Cloudflare images with the content-security-policy set to content-security-policy: default-src ‘none’; navigate-to ‘none’; form-action ‘none’. As a result browsers are throwing the error “Refused to apply inline style because it violates the following Content Security Policy directive: “default-src ‘none’”. Either the ‘unsafe-inline’ keyword”. I’ve setup a custom worker to use a custom Cloudwave proxied domain to service the images and within the script attempt to update the CSP response header to “unsafe-inline” however it did not change the response header. I setup a dedicated worker to update the response header and added a route to the Cloudwave proxied domain and it still does not change the header. Does anyone know if what I’m trying to do is possible? I have a Cloudwave support ticket opened but figured I’d try the community in the meantime.

Can you share an example URL where this is causing problems? I do see the CSP header as you mention on Images like, but this shouldn’t really have any impact on your site, and definitely shouldn’t cause your CSP to throw style related errors :thinking:

(post deleted by author)

(post deleted by author)

As a sanity check I tested serving images from the local webserver and an Amazon S3 bucket, and in both cases the lightbox script worked as expected. Upon inspection of the header response I noted the content-security-policy is not being set which further leads me to believe if there is a fix it’s a change that needs to be made on the Cloudflare side.

This topic was automatically closed after 14 days. New replies are no longer allowed.