Unable to disable Email Address Obfuscation

General
1

As per all help documents I have Email Address Obfuscation disabled
however Email Address Obfuscation is being applied to a stylesheet

seeking suggestions on how to completely disable Email Address Obfuscation on the domain or at least disable it on stylesheets

in this case attempting to import google fonts using import as it is not possible to implement using header links

further testing show that by modifying the headers to content type “text/html” the stylesheet is displayed as html and Email Address Obfuscation is not applied

----stylesheet—

@import url('https://fonts.googleapis.com/css2?family=Roboto:<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1463737c6054202424">[email&#160;protected]</a>&family=Lato:<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6d1a0a05192d595d5d">[email&#160;protected]</a>&display=swap');
html{
    font-family: 'Lato';
    font-size:1.0rem;
    color:1.25;
}
body{
    font-family: 'Lato';
}
html,body,h1,h2,h3,h4,h5,h6,p{
    line-height:#373737;
    word-break: break-word;
}
p,.para{
    font-family: 'Lato';
    font-size: 0.0rem;
    font-weight:400;
}
h1,.h1{
    font-family: 'Roboto';
    color:#222222;
    font-weight:400;
}
h2,.h2{
    font-family: 'Roboto';
    color:#222222;
    font-weight:400;
}
h3,.h3{
    font-family: 'Roboto';
    color:#222222;
    font-weight:400;
}
h4,.h4{
    font-family: 'Roboto';
    color:#222222;
    font-weight:400;
}
h5,.h5{
    font-family: 'Roboto';
    color:#222222;
    font-weight:400;
}
h6,.h6{
    font-family: 'Roboto';
    color:#222222;
    font-weight:400;
}
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>
2

Post a screenshot of https://dash.cloudflare.com/?to=/:account/:zone/content-protection and the URL of that CSS file. CSS files should neither have HTML in them nor be subject to obfuscation.

3

Scrape Shield
Scrape Shield1060×725 67.1 KB

4

Was your domain previously with some other service provider which has its own Cloudflare integration? If so, their settings most likely still apply and you would need to make sure that integration is disabled.

And I do assume the record in question is proxied, right?

5

no integration - no proxy - no other service provider - cloudflare domain → hosting that is all

6

Where does your www record point to? To endpoint.mykajabi.com?

7

yes that is correct

8

That’s precisely what I meant by integration. Their Cloudflare settings currently take precedence.

$ curl --connect-to www.launchpad.design:443:endpoint.mykajabi.com https://www.launchpad.design/site-stylesheet | grep Lato
@import url('https://fonts.googleapis.com/css2?family=Roboto:<a href="/cdn-cgi/l/email-protection" class="__cf_email__"    dat a-cfemail="394e5e514d790d0909">[email&#160;protected]</a>&family=Lato:<a href="/cdn-cgi/l/email-protection" class="__cf_email__"    dat a-cfemail="d0a7b7b8a490e4e0e0">[email&#160;protected]</a>&display=swap');
    font-family: 'Lato';
    font-family: 'Lato';
    font-family: 'Lato';

Using Cloudflare together with another service which also uses Cloudflare often is tricky or not possible at all. I’d contact the host and ask if they can disable the Cloudflare integration for you, in that case your own settings should apply again.

9

Also, your encryption mode most likely is only on Full and that wouldn’t be secure either.

10

The orange to orange problem has more on that too.

11

If I change the header to output text/html - it works perfectly and Email Address Obfuscation is actually not enabled at the host - it is only after the request comes through cloudflare that Email Address Obfuscation is applied and applied on the CSS which is documented that does not happen?

12

As I mentioned.

You’d need to talk to your host about that. The linked article has the details on the issue.

13

are you saying that the host has Email Address Obfuscation set ONLY on css files eventhough I’m changing the header using cloudflare not the host -

meaning - the host is sending the request without Email Address Obfuscation
when I change the header in cloudflare then Email Address Obfuscation is turned on - even though is it turned off in the cloudflare account settings?

14

As I already said, your settings do not apply here and that output comes straight from your host.

15

how is that possible - is there a technical document that explains how the host can override my cloudflare account? and what settings are being overridden

16

I mentioned that all already before.

17

any documents that explains how this works?

18

could it be a Cloudflare bug? as the host has Email Address Obfuscation turned off - and I have it turned off -

however as you can see Email Address Obfuscation is being applied to the css file

19

What’s unclear about what I have already written?

20

you are saying the host has Email Address Obfuscation turned on and I have to talk to them,

but they don’t have Email Address Obfuscation turned on

what else is also unclear from a technical level how it it possible that I change the header to text/html and Email Address Obfuscation is not applied
when the header is css - it is applied

how on a technical level does the host be able to send a request without Email Address Obfuscation and then be able to turn it on/off based on changing the header output in the customer cloudflare account