Browser Support • Re: Cloudflare Verification Loop issues

If our (IMO spec compliant) implementation

Well, our implementation of csp is still not quite in line with other current browsers - we do not have support unsafe-hashes, report-sample, report-to, trusted-types, require-trusted-types-for. Of course, it's the fancy modern additions (half of them are ff148... though chrome83) which leads to

but I've thus far not been given any specific details about what in our CSP is causing these hangs

If look in devtools, the CF turnstile requires support for trusted-types and require-trusted-types-for. Of course, normally it would sound pretty silly that a missing csp policy would cause noticeable freezes, but given that it requires the new Trusted Types API to work, it might be possible... The API has two main parts:

• A JavaScript API enables a developer to sanitize data before passing it to an injection sink.
• Two CSP directives enforce and control the usage of the JavaScript API.