After upgrading from Zammad 3.2 to 3.3 on a Centos7 server, I am unable to pass the loading screen. If I disable the CloudFlare front DNS for the helpdesk, it works correctly. When using CloudFlare I now receive the below error.
Refused to load the script 'https://ajax.cloudflare.com/cdn-cgi/scripts/7089c43e/cloudflare-static/rocket-loader.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'nonce-SJQEPIlDbjGk/xoX2SFgCg=='". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Is this due to the new security changes in Zammad 3.3?
Just for reference the following file is responsible for this content security.
Changing it is not update safe but helps solving your issue if you want to use that js.
Note that setting headers in your webservers configuration is being ignored / overwritten and thus does not help.
