From 1e04258c226b3835274d710c9caebf916504706e Mon Sep 17 00:00:00 2001 From: MattNotarangelo Date: Fri, 26 Jun 2026 18:42:50 -0700 Subject: [PATCH] fix(csp): allow Cloudflare Web Analytics beacon The strict CSP (script-src 'self', connect-src 'self') blocked the beacon that Cloudflare Pages auto-injects, so Web Analytics recorded nothing. Allowlist the two beacon origins: - script-src: https://static.cloudflareinsights.com (beacon.min.js) - connect-src: https://cloudflareinsights.com (RUM /cdn-cgi/rum endpoint) Comment updated to reflect the one permitted third-party dependency. Co-Authored-By: Claude Opus 4.8 (1M context) --- index.html | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 77c5869..a98ae0d 100644 --- a/index.html +++ b/index.html @@ -5,10 +5,12 @@ + even if escaping is ever incomplete. The only permitted third-party + origins are Cloudflare Web Analytics (beacon script + RUM endpoint), + which Cloudflare Pages injects automatically. --> Cave Survey Viewer