There is another site reporting CSP errors related to the /cdn-cgi/speculation endpoint: Refused to load the script 'xxxx.com/cdn-cgi/speculation' because it violates the following Content Security Policy directive - #2 by simon. I am not aware of similar issues that have been reported in the past. Maybe something has changed either on Cloudflare or in Discourse 3.4.0.
The /cdn-cgi/speculation endpoint is added to domains registered on Cloudflare when the “Speed Brain” feature is enabled. Speed Brain is intended to speed up a website’s performance by allowing Cloudflare to prefetch content when a user hovers over a link. I’m not sure this is compatible with Discourse.
I see the Speculation-Rules header is being returned with the response when I visit https://community.lezismore.org/login. That indicates that the Speed Brain feature is enabled. From the Cloudflare docs, it seems that it is enabled by default.
Can you try disabling Speed Brain from the Speed tab of your Cloudflare dashboard? Instructions for how to do that are here: Speed Brain | Cloudflare Speed docs.
The “Caveats” section of the docs I linked to says:
- Speed Brain will not work with restrictive Content Security Policy
configurations using
strict-dynamicornonce-{hash}attributes.
If Speed Brain is compatible with Discourse, we’ll have to figure out how to add it to the Content Security rules.