Part 1: Cloudflare-originated scripts allowed in common/isfdb.py, installed in SVN 1302 on 2026-04-05. It didn't help as much as I hoped it would because Cloudflare inserts scripts directly into the body of the page, which is still disallowed by CSP settings. Allowing inline scripts would be a significant security issue, so we need to re-evaluate how to get around it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Part 2 - Allow Cloudflare-injected JS script with a valid hash; Let Cloudflare send feedback. Implemented in common/isfdb.py, installed in SVN 1304 on 2026-04-06. The live server is still refusing to run Cloudflare's injected script because it's not accepting the SHA-512 value as valid. More debugging is needed. Leaving the SR open.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Part 3 - Switched from hard-coded SHA values to nonces for CSP's interaction with Cloudflare. Implemented in common/isfdb.py, installed in SVN 1306 on 2026-04-06. Everything appears to be working normally after this change, so I am going to close this FR. We may need to reopen it if and when we come across additional issues with Cloudflare.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Diff:
Part 1: Cloudflare-originated scripts allowed in common/isfdb.py, installed in SVN 1302 on 2026-04-05. It didn't help as much as I hoped it would because Cloudflare inserts scripts directly into the body of the page, which is still disallowed by CSP settings. Allowing inline scripts would be a significant security issue, so we need to re-evaluate how to get around it.
Part 2 - Allow Cloudflare-injected JS script with a valid hash; Let Cloudflare send feedback. Implemented in common/isfdb.py, installed in SVN 1304 on 2026-04-06. The live server is still refusing to run Cloudflare's injected script because it's not accepting the SHA-512 value as valid. More debugging is needed. Leaving the SR open.
Part 3 - Switched from hard-coded SHA values to nonces for CSP's interaction with Cloudflare. Implemented in common/isfdb.py, installed in SVN 1306 on 2026-04-06. Everything appears to be working normally after this change, so I am going to close this FR. We may need to reopen it if and when we come across additional issues with Cloudflare.