"Content-Security-Policy" with CloudFlare

Saracoglu · May 12, 2017, 1:56pm

I decided to use CloudFlare and, with this decision I started living with the problem.
I’m having a Content-Security-Policy issue with CloudFlare

I added domains:

trusted_domains’
13 => ‘cloudflare.com’,
14 => ‘ajax.cloudflare.com’,

Consol screenshot:
nclogin fw

Line: 12

<script type="text/javascript">
//<![CDATA[
try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"a5598fbea6541371e5e84444fd34eeec",petok:"0119e12f861d65f4adee31660e13ee5fe0455fe4-1494590285-1800",zone:"getddo.com",rocket:"a",apps:{}}];document.write('<script type="text/javascript" src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=85b614c0f6/cloudflare.min.js"><'+'\/script>');}}catch(e){};
//]]>
</script>

I modified CloudFlare for these codes, but this did not work;
\lib\private\legacy\response.php

$policy = 'default-src \'self\'; '
	. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
	. 'style-src \'self\' \'unsafe-inline\'; '
	. 'frame-src *; '
	. 'img-src * data: blob:; '
	. 'font-src \'self\' data:; '
	. 'media-src *; ' 
	. 'connect-src *; '
	. 'object-src \'none\'; '
	. 'base-uri \'self\'; ';
header('Content-Security-Policy:' . $policy);
header('X-Frame-Options: SAMEORIGIN');

I have investigated this problem on the internet but have not got a result, what can I do for this problem?

tflidd · May 12, 2017, 9:23pm

just as reference: https://github.com/nextcloud/server/issues/4840

Sorry, I can’t help you. Just referring from the topic above, did you disable js/css-optimization of cloudfare (if possible)?