[Support Request]: Adding trusted scripts locations to Content Security Policy (CSP) #2498

New Issue

OVERLORD · 2026-02-05T04:20:36+03:00

OVERLORD commented

2026-02-05 04:20:36 +03:00

Originally created by @rene0899 on GitHub (Nov 20, 2021).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I use BookStack with CloudFlare Rocket Loader and email address obfuscation. For that, Cloudflare needs to run scripts on my site. BookStack default CSP doesn't allow this because of "script-src http: https: 'nonce-abc123' 'strict-dynamic'" policy. I can disable this by adding "ALLOW_CONTENT_SCRIPTS=true" line to my .env file. However, by disabling this I make my site less secure by allowing everything. How can I explicitly allow CloudFlare scripts to be run without compromising on security?

I tried overwriting CSP headers with my Ngnix webserver. I added following line to my nginx site configuration file between Server {} (Basically everything stated in BookStack documentation which it needs + cloudflare URL) -

add_header Content-Security-Policy "default-src 'self'; script-src 'self' ajax.cloudflare.com http: https: 'nonce-abc123' 'strict-dynamic'; frame-ancestors 'self'; object-src 'self'; base-uri 'self';";

but that didn't work and instead threw a lot more errors to console about scripts restricted by given policy. And even if it did work, then as I understand it, browser would prefer BookStack set CSP because it would be more strict.

Exact BookStack Version

v21.11

Log Content

No response

PHP Version

No response

Hosting Environment

Azure

Originally created by @rene0899 on GitHub (Nov 20, 2021). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I use BookStack with CloudFlare Rocket Loader and email address obfuscation. For that, Cloudflare needs to run scripts on my site. BookStack default CSP doesn't allow this because of "script-src http: https: 'nonce-abc123' 'strict-dynamic'" policy. I can disable this by adding "ALLOW_CONTENT_SCRIPTS=true" line to my .env file. However, by disabling this I make my site less secure by allowing everything. How can I explicitly allow CloudFlare scripts to be run without compromising on security? I tried overwriting CSP headers with my Ngnix webserver. I added following line to my nginx site configuration file between Server {} (Basically everything stated in BookStack documentation which it needs + cloudflare URL) - - add_header Content-Security-Policy "default-src 'self'; script-src 'self' ajax.cloudflare.com http: https: 'nonce-abc123' 'strict-dynamic'; frame-ancestors 'self'; object-src 'self'; base-uri 'self';"; but that didn't work and instead threw a lot more errors to console about scripts restricted by given policy. And even if it did work, then as I understand it, browser would prefer BookStack set CSP because it would be more strict. ### Exact BookStack Version v21.11 ### Log Content _No response_ ### PHP Version _No response_ ### Hosting Environment Azure

OVERLORD added the 🐕 Support label 2026-02-05 04:20:36 +03:00

OVERLORD closed this issue

2026-02-05 04:20:38 +03:00

OVERLORD commented

2026-02-05 04:20:41 +03:00

@ssddanbrown commented on GitHub (Nov 20, 2021):

Hi @rene0899, Yeah, The trouble is that Cloudflare adds these scripts to the page in a way that the CSP rules would actively defend against. We can't alter these scripts either to make them compatible due to where Cloudlfare sits in the stack.

I don't think adding the cloudflare domains would ultimately help here since we make use of the 'strict-dynamic' option for sources.

Any scripts added in via the "Custom HTML Head" content setting automatically have nonces applied to work with our CSP system. I guess you could potentially copy the cloudlfare-injected content to this option? Not sure how often they change the script references though. It's a massive shame they don't seem to support user control of these scripts.

@ssddanbrown commented on GitHub (Nov 20, 2021): Hi @rene0899, Yeah, The trouble is that Cloudflare adds these scripts to the page in a way that the CSP rules would actively defend against. We can't alter these scripts either to make them compatible due to where Cloudlfare sits in the stack. I don't think adding the cloudflare domains would ultimately help here since we make use of the 'strict-dynamic' option for sources. Any scripts added in via the "Custom HTML Head" content setting automatically have nonces applied to work with our CSP system. I guess you could potentially copy the cloudlfare-injected content to this option? Not sure how often they change the script references though. It's a massive shame they don't seem to support user control of these scripts.

OVERLORD commented

2026-02-05 04:20:43 +03:00

@ssddanbrown commented on GitHub (Dec 17, 2021):

Since there's been no further discussion on this I'm going to close it off.

Based upon Cloudflare's documentation they are doing CSP nonce handling for their "Bot Management" element. It would be ideal if they done this for other scripts they inject. It would help that any Cloudflare customers with this issue raise this via Cloudlfare support since I don't have an account with them to make the case.

@ssddanbrown commented on GitHub (Dec 17, 2021): Since there's been no further discussion on this I'm going to close it off. Based upon [Cloudflare's documentation](https://support.cloudflare.com/hc/en-us/articles/216537517-Using-Content-Security-Policy-CSP-with-Cloudflare) they are doing CSP nonce handling for their "Bot Management" element. It would be ideal if they done this for other scripts they inject. It would help that any Cloudflare customers with this issue raise this via Cloudlfare support since I don't have an account with them to make the case.

OVERLORD commented

2026-02-05 04:20:46 +03:00

@10935336 commented on GitHub (May 29, 2022):

I had a similar problem.
I'm trying to integrate reCAPTCHA v2 into a website, but the CSP won't let me do.

Refused to load the script 'https://www.recaptcha.net/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src http: https: 'nonce-gD0LGElIkIXqfPbsDwCpcmIv' 'strict-dynamic'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

recaptcha.net is an official proxy provided by Google：https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally

https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website.-how-can-i-configure-it-to-work-with-recaptcha

@10935336 commented on GitHub (May 29, 2022): I had a similar problem. I'm trying to integrate reCAPTCHA v2 into a website, but the CSP won't let me do. ``` Refused to load the script 'https://www.recaptcha.net/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src http: https: 'nonce-gD0LGElIkIXqfPbsDwCpcmIv' 'strict-dynamic'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. ``` recaptcha.net is an official proxy provided by Google：https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website.-how-can-i-configure-it-to-work-with-recaptcha

OVERLORD commented

2026-02-05 04:20:48 +03:00

@ssddanbrown commented on GitHub (May 29, 2022):

@10935336 This can really depend on how you're attempting to load in scripts.
You'll need to ensure any initial script tags are added with a CSP nonce as we do here:
49498cfaf9/resources/views/layouts/base.blade.php (L53)

A CSP nonce is automatically applied to "Custom HTML Head Content" scripts.

@ssddanbrown commented on GitHub (May 29, 2022): @10935336 This can really depend on how you're attempting to load in scripts. You'll need to ensure any initial script tags are added with a CSP nonce as we do here: https://github.com/BookStackApp/BookStack/blob/49498cfaf9b6f10d993755b47e2cdb3cf256461d/resources/views/layouts/base.blade.php#L53 A CSP nonce is automatically applied to "Custom HTML Head Content" scripts.

OVERLORD commented

2026-02-05 04:20:51 +03:00

@10935336 commented on GitHub (May 30, 2022):

@10935336 This can really depend on how you're attempting to load in scripts. You'll need to ensure any initial script tags are added with a CSP nonce as we do here:

49498cfaf9/resources/views/layouts/base.blade.php (L53)

A CSP nonce is automatically applied to "Custom HTML Head Content" scripts.

Thanks for the help!
For anyone who might see this: you need to add your request sources in ALLOWED_IFRAME_SOURCES = in .env and then just do
<script src="URL" nonce="{{ $cspNonce }}"></script>

@10935336 commented on GitHub (May 30, 2022): > @10935336 This can really depend on how you're attempting to load in scripts. You'll need to ensure any initial script tags are added with a CSP nonce as we do here: > > https://github.com/BookStackApp/BookStack/blob/49498cfaf9b6f10d993755b47e2cdb3cf256461d/resources/views/layouts/base.blade.php#L53 > > A CSP nonce is automatically applied to "Custom HTML Head Content" scripts. Thanks for the help! For anyone who might see this: you need to add your request sources in `ALLOWED_IFRAME_SOURCES =` in .env and then just do `<script src="URL" nonce="{{ $cspNonce }}"></script>`

OVERLORD commented

2026-02-05 04:20:54 +03:00

@ssddanbrown commented on GitHub (May 30, 2022):

Happy to help!

Note, the ALLOWED_IFRAME_SOURCES bit is only needed when scripts require loading iframes, it's not needed for all custom scripts.

@ssddanbrown commented on GitHub (May 30, 2022): Happy to help! Note, the `ALLOWED_IFRAME_SOURCES` bit is only needed when scripts require loading iframes, it's not needed for all custom scripts.

OVERLORD commented

2026-02-05 04:20:56 +03:00

@DraKuLa21-a42 commented on GitHub (Sep 14, 2024):

@10935336
Could you please explain in more detail exactly what needs to be done to resolve this issue?

@DraKuLa21-a42 commented on GitHub (Sep 14, 2024): @10935336 Could you please explain in more detail exactly what needs to be done to resolve this issue?

OVERLORD commented

2026-02-05 04:21:01 +03:00

@10935336 commented on GitHub (Sep 18, 2024):

@10935336 Could you please explain in more detail exactly what needs to be done to resolve this issue?

You just need to add nocen in the script

from something like this
<script src="https://exampl.com/foo.js"></script>
to
<script src="https://exampl.com/foo.js" nonce="{{ $cspNonce }}"></script>

@10935336 commented on GitHub (Sep 18, 2024): > @10935336 Could you please explain in more detail exactly what needs to be done to resolve this issue? You just need to add nocen in the script from something like this `<script src="https://exampl.com/foo.js"></script>` to `<script src="https://exampl.com/foo.js" nonce="{{ $cspNonce }}"></script>`

OVERLORD commented

2026-02-05 04:21:08 +03:00

@joshhcd commented on GitHub (May 21, 2025):

Thank you very much. This was needed, as I added Matomo tracking and was wracking my brain on why it wasn't working.

@joshhcd commented on GitHub (May 21, 2025): Thank you very much. This was needed, as I added Matomo tracking and was wracking my brain on why it wasn't working.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2498