There is another recent topic related to content security policy errors with a script at https://forum.example.com/cdn-cgi/speculation: Issue with Activate Account Page After Update to 3.4.0 (Blank Page). I’m wondering if something has changed recently either on Cloudflare or on Discourse.
My understanding is that the /cdn-cgi/speculation endpoint is added to domains registered on Cloudflare if “Speed Brain” is enabled. It is intended to allow Cloudflare to prefetch page content when a user hovers over a link. I’m not sure if it’s compatible with Discourse.
What version of Discourse is your site on?
Are you getting any errors on the site, or are you just seeing the CSP error in the console?
Can you try disabling Speed Brain? It seems that it’s enabled by default. It can be disabled from the “Speed” tab of your Cloudflare dashboard: Speed Brain | Cloudflare Speed docs.