Allow Cloudflare challenge-platform scripts: add unsafe-inline and challenges.cloudflare.com to CSP
- Add unsafe-inline to script-src and style-src for Cloudflare Bot Fight Mode injected scripts - Add challenges.cloudflare.com to frame-src, script-src, connect-src, external_redirects - Cloudflare injects inline scripts/styles for bot detection that cannot use nonces Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
@@ -27,13 +27,17 @@ nelmio_security:
|
||||
- 'https://js.stripe.com'
|
||||
- 'https://cloudflare.com'
|
||||
- 'https://*.cloudflareinsights.com'
|
||||
- 'https://challenges.cloudflare.com'
|
||||
script-src:
|
||||
- 'self'
|
||||
- 'https://static.cloudflareinsights.com'
|
||||
- 'https://challenges.cloudflare.com'
|
||||
- 'unsafe-inline'
|
||||
style-src:
|
||||
- 'self'
|
||||
- 'https://fonts.googleapis.com'
|
||||
- 'https://cdnjs.cloudflare.com'
|
||||
- 'unsafe-inline'
|
||||
img-src:
|
||||
- 'self'
|
||||
- 'data:'
|
||||
@@ -45,6 +49,7 @@ nelmio_security:
|
||||
- 'https://cloudflareinsights.com'
|
||||
- 'https://static.cloudflareinsights.com'
|
||||
- 'https://tools-security.esy-web.dev'
|
||||
- 'https://challenges.cloudflare.com'
|
||||
font-src:
|
||||
- 'self'
|
||||
- 'https://cdnjs.cloudflare.com'
|
||||
@@ -78,3 +83,4 @@ nelmio_security:
|
||||
- hooks.stripe.com
|
||||
- dashboard.stripe.com
|
||||
- auth.esy-web.dev
|
||||
- challenges.cloudflare.com
|
||||
|
||||
Reference in New Issue
Block a user