Skip to content

Commit

Permalink
Update javascript-detections.md (#3389)
Browse files Browse the repository at this point in the history
* Update javascript-detections.md

https://jira.cfops.it/browse/PSPEC-997

* Update products/bots/src/content/reference/javascript-detections.md

Co-authored-by: Kody Jackson <[email protected]>
  • Loading branch information
zeinjaber and kodster28 authored Feb 9, 2022
1 parent 2ff6318 commit 9d065f7
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion products/bots/src/content/reference/javascript-detections.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,5 @@ Customers who enabled Enterprise Bot Management before June 2020 do not have Jav

If you have a Content Security Policy (CSP):
- Ensure that it does not block scripts served from `/cdn-cgi/bm/` or requests made to `/cdn-cgi/bm/results`. Your CSP should allow scripts served from your origin domain (`script-src self`).
- If your CSP uses a `nonce` for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
- If your CSP uses a `nonce` for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
- If your CSP does not use `nonce` for script tags and **JavaScript Detection** is enabled, you may see a console error such as `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.` We highly discourage the use of `unsafe-inline` and instead recommend the use CSP `nonces` in script tags which we parse and support in our CDN.

0 comments on commit 9d065f7

Please sign in to comment.