There is no sense in CSP if CF advices to use 'unsafe-inline'

cdn

#1

Our site uses Content Security Policy and CF

I found that there are many errors in mobile version, because CF injects script

without nonce field (yes, I know CF cannot know nonce value)

As I see Cloudflare advises to use 'unsafe-inline;

but it equivalent removing removing CSP at all

Do you have any sane solution how to fix it?


#2

script in HTML page looks like:

<script>
//<![CDATA[
window.__mirage2 = {petok:"xxxxxxxxxxxx-yyyyyyyyyy-1800"};
//]]>
</script>

#3

Find out the hash value and add it to your CSP. I use Chrome’s dev tools to check the Console for the hash value I need to add. If you’re lucky, that value isn’t going to keep changing.


#4

Mmm )
Are you serious?

As I know, nonce value should be randomly generated for each request, isn’t it?


#5

And to be serious, Cloudflare could parse CSP header, extract nonce value and add it to his < script > tag
What you think?
Is it worth as feature request?


#6

Other than unsafe-inline, the hash is the only workaround I can think of.

That would be awesome of Cloudflare could catch the nonce and inline it with the script…but that idea depends on Cloudflare knowing what inline scripts really belong with those Apps.


#7

I am not sure about hash. It should be known at server to add to headers. And there is no possibility to known hash of CF script.

Sorry, I do not understand you.
Mirage is a CF controlled technology (it injects script to HTML body).
CF already knows nonces from headers and have all possibilities to add it to it’s script tag.


closed #9

This topic was automatically closed after 30 days. New replies are no longer allowed.