The script appeared at the bottom of the body tag, what is its function?

Hello. I noticed that script appear at the bottom of the body tag, exactly below google tracking script code.

/* <![CDATA[ */(function(d,s,a,i,j,r,l,m,t){try{l=d.getElementsByTagName('a');t=d.createElement('textarea');for(i=0;l.length-i;i++){try{a=l[i].href;s=a.indexOf('/cdn-cgi/l/email-protection');m=a.length;if(a&&s>-1&&m>28){j=28+s;s='';if(j<m){r='0x'+a.substr(j,2)|0;for(j+=2;j<m&&a.charAt(j)!='X';j+=2)s+='%'+('0'+('0x'+a.substr(j,2)^r).toString(16)).slice(-2);j++;s=decodeURIComponent(s)+a.substr(j,m-j)}t.innerHTML=s.replace(/</g,'&lt;').replace(/\>/g,'&gt;');l[i].href='mailto:'+t.value}}catch(e){}}}catch(e){}})(document);/* ]]> */

Can you tell me what is its function and is there a need to remove it and how? I have one mailto link on the site, I guess it’s because of that, and Cloudflare filter messages, but how to remove ?

email address protection.

Could someone with more knowledge than I explain why this has to be inline and can’t be loaded from /cdn-cgi/… like their apps? Makes implementing a strict CSP source policy very difficult when you have to allow this.

I guess you’d have to ask a Cloudflare developer why they did it this way.

But for CSP, I add a hash to script-src and I get to keep my strict policy.

If you don’t want to add the hash, and don’t mind a raw email address in your page source, you can just turn it off, as described in the above instructions.