Understand this errorAI ToolBarMenu:1 Refused to load the script

What is the name of the domain?

amtran.com.tw

What is the error message?

Refused to load the script ‘https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback. Understand this errorAI ToolBarMenu:1 Refused to load the script ‘https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

What is the issue you’re encountering

When the website provides a preview, it remains in a loading state and cannot,When the WAF Proxy is disabled, it works normally. May I ask where I can find the relevant information to resolve this issue? I kindly request your assistance.

I cannot load the Website from my end, furthermore it’s not using Cloudflare nameservers or if you’ve changed them lately they didn’t propagated yet.

ns-822.awsdns-38.net
ns-1049.awsdns-03.org
ns-2022.awsdns-60.co.uk
ns-228.awsdns-28.com

Furthermore, the www version does load and resolves over Cloudflare and I cannot reproduce the same error, beacon got me HTTP 200 no error:

If you believe it’s realted to the WAF, I’d suggest you to double-check the Security → Events at Cloudflare dashboard under your Cloudflare account for your zone, or via direct link https://dash.cloudflare.com/?to=/:account/:zone/security/events.

You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered.

Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?

Sorry, my website is nbpm.amtran.com.tw

error message

This is what I see when I visit your Website:

SORRY
https://nbpm.amtran.com.tw/GAIA/

Thank you for feedback.

I can see only one request as issue for the logon form related to the Content Security Policy. Everything else is HTTP 200.

Did you cleared your Web browser cache, cookies & data? :thinking:

Hi , during the testing process, the computer screen does not remain in the loading state, but on the mobile app, it gets stuck on the loading screen. When WAF is disabled, the screen displays immediately. No errors were found in Security → Events. This is a very strange issue. Please assist, and thank you!

Hi Fritex, I apologize for the inconvenience. May I ask if there’s a chance you could provide guidance on problem-solving approaches? This is an area where I am relatively weak, and I would greatly appreciate your expertise and assistance. Thank you very much!

What is the name of the domain?

https://nbpm.amtran.com.tw/GAIA/

What is the issue you’re encountering

during the testing process, the computer screen does not remain in the loading state, but on the mobile app, it gets stuck on the loading screen. When WAF is disabled, the screen displays immediately. No errors were found in Security → Events.Refused to load the script ‘https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback. Understand this errorAI ToolBarMenu:1 Refused to load the script ‘https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

Was the site working with SSL prior to adding it to Cloudflare?

No

What is the current SSL/TLS setting?

Flexible

Screenshot of the error

I look forward to God sending an angel to provide assistance.

Thank you for feedback and patience.

Could you describe “WAF” in more detail? Is it one of the below:

  1. Custom WAF rule disabled
  2. Bot Fight Mode disabled
  3. Security Level changed
  4. Browser Integrity Check disabled

The Beacon script coming from Cloudflae shouldn’t be the cause since it’s used for Analytics & tracking, it’s not Security nor WAF related.

You can adjust your CSP header, if it’s coming from the origin server, otherwise disable Web Analytics for your zone at the Cloudflare dashboard.

Helpful article about Cloudflare cookies:

Might be the cause of Mixed content and redirection loops, possible a way which is interfering with your “loading screen”. Should be fixed and set to Full (Strict).

Before moving to Cloudflare, was your Website working over HTTPS connection?

Steps for troubleshooting:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / Plesk panel / cPanel AutoSSL / Let’s Encrypt / ACME / Certbot and manually click to renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s set to Full (Strict).

I cannot reproduce this on my mobile phone (Android) while checking.

I’d suggest you to try using Incognito Mode (Private Window) and test out by modifying your settings and above suggestions.

Otherwise, temporary disable Rocket Loader feature if it’s causing some JavaScript conflict:

I am glad to receive your response. After testing, the issue could not be resolved. I am providing the mobile testing method in the attached file, hoping it meets your requirements.
Login ID : rain.yu
Password : 123456
Please key in ID and password

Select 流程中心

Select 簽核

Select 我申請的

You can choose any option to test.

  1. Custom WAF rule disabled

  1. Bot Fight Mode disabled

  2. Security Level changed


  1. Browser Integrity Check disabled

This topic was automatically closed after 15 days. New replies are no longer allowed.