|
| 1 | +# 0019. Opt out of edge HTML transformation |
| 2 | + |
| 3 | +Date: 2026-06-15 |
| 4 | + |
| 5 | +Status: Accepted |
| 6 | + |
| 7 | +## Context |
| 8 | + |
| 9 | +vanityURLs ships strict Content Security Policy headers for product HTML. The default CSP blocks inline scripts and |
| 10 | +styles so the generated redirector pages remain deterministic and easy to audit. |
| 11 | + |
| 12 | +Some Cloudflare dashboard features can rewrite or inject content into HTML responses after the Worker or static asset |
| 13 | +policy has produced the page. JavaScript Detections, Bot Fight Mode, Managed Challenge, Zaraz, Rocket Loader, Snippets, |
| 14 | +and similar features can add scripts or rewrite markup at the edge. That creates a mismatch between repository-owned |
| 15 | +HTML/CSP and the final response observed by browsers. In strict-CSP instances, the result is often a browser console |
| 16 | +error for an injected inline script. |
| 17 | + |
| 18 | +Cloudflare JavaScript Detections documents its injected script path under `/cdn-cgi/challenge-platform/` and notes that |
| 19 | +`Cache-Control: no-transform` prevents that injection on responses where JavaScript Detections would otherwise run. |
| 20 | + |
| 21 | +## Decision |
| 22 | + |
| 23 | +vanityURLs HTML responses opt out of intermediary transformation. The Worker appends `no-transform` to the |
| 24 | +`Cache-Control` header for HTML responses, and the static `_headers` fallback uses |
| 25 | +`Cache-Control: no-store, no-transform` on HTML routes. |
| 26 | + |
| 27 | +The operator recommendation remains to keep challenge-style or page-rewriting Cloudflare features disabled for public |
| 28 | +redirect, lookup, and status HTML unless the instance intentionally accepts Cloudflare-owned script injection. |
| 29 | + |
| 30 | +Do not weaken the default CSP with `unsafe-inline` or Cloudflare-generated hashes just to support dashboard-injected |
| 31 | +JavaScript. If an operator wants JavaScript Detections on a separate application surface, that surface should carry its |
| 32 | +own policy instead of changing the redirector baseline. |
| 33 | + |
| 34 | +## Consequences |
| 35 | + |
| 36 | +- Public HTML remains closer to the repository-built artifact that operators review and deploy |
| 37 | +- Cloudflare JavaScript Detections should not inject its challenge-platform script into vanityURLs HTML responses that |
| 38 | + honor `no-transform` |
| 39 | +- Strict CSP can remain strict without inline script allowances |
| 40 | +- Operators can still enable Cloudflare blocking, rate limiting, Browser Integrity Check, Access, managed AI bot |
| 41 | + controls, and WAF rules that do not rewrite public HTML |
| 42 | +- Challenge-based controls may still be useful on separate apps or protected admin surfaces, but they are not the |
| 43 | + vanityURLs public HTML baseline |
0 commit comments