5

I have a CSP with the following line in it:

script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http: https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js;

and I can see that the CSP is correct in the response header for the page.

I am still getting a [Report Only] Refused to load the script https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js error.

Cloudflare is auto-injecting this script tag and so I cannot rely on the strict-dynamic property to cover it for me, nor can I add a nonce.

Is this failing because of scrict-dynamic overriding the fixed url in the CSP? We need strict-dynamic within the app, but we also need to allow a custom whitelist url for these situations.

Any ideas?

Edit: Specifically I think the issue is cloudflare here. How is it possible to allow cloudflare to inject scripts, while at the same time having strict-dynamic set? You cannot give cloudflare a nonce, and strict-dynamic will not let you white-list so how is it possible to overcome this?

simonw16
  • 960
  • 9
  • 25
  • Did you ever figure out how to handle it? – Parsa Yazdani Mar 01 '21 at 22:52
  • No, the solution for me was to turn off strict-dynamic if there was something injecting scripts like cloudflare. It feels like CSP is still in its infancy and there are a lot of cases that just don't work from my experience. You'll also notice that safari and firefox inject their own scripts in to your code if you open the developer console so it'll always show a violation, (and report it too). Very hard to work with CSP. – simonw16 Mar 02 '21 at 18:39

1 Answers1

0

If you use strict-dynamic, it ignores the allow-listed domain. That's why that approach isn't working.

BTW, you can't use a full URL like http: https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/email-decode.min.js anyway. You can only use https://static.cloudflareinsights.com https://mydomain.app/cdn-cgi/scripts/6c4dd986/cloudflare-static/.

BTW, you may find https://csp-evaluator.withgoogle.com/ helpful for finding problems like that in your CSP. (I'm not affiliated with them. I just think it's useful.)

At the end of the day, Cloudflare is going to need to fix this on their side. They see your CSP in your response. They need to make use of your nonce. They do this sometimes. If you read https://developers.cloudflare.com/bots/reference/javascript-detections/, it says, "If your CSP uses a nonce for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header."

Shannon -jj Behrens
  • 4,910
  • 2
  • 19
  • 24