Widgets not working with Cloudflare Proxy #18423
Description
Describe the issue
When Cloudflare Proxy is enabled, widgets on /widgets/ don't display.
I already tried
- I've read and searched the documentation.
- I've searched for similar filed issues in this repository.
Steps to reproduce the behavior
Enable Cloudflare Proxy for the Weblate instance, configure ajax.cloudflare.com to be in CSP_SCRIPT_SRC and exempted from CSP, visit a widgets page and see the widget is not displayed.
Expected behavior
Widget is displayed.
Screenshots
Exception traceback
How do you run Weblate?
Docker -> nginx reverse proxy -> Cloudflare proxy
Weblate versions
- Weblate: 5.16.2
- Django: 5.2.12
- siphashc: 2.7
- translate-toolkit: 3.19.3
- lxml: 6.0.2
- pillow: 12.1.1
- nh3: 0.3.3
- python-dateutil: 2.9.0.post0
- social-auth-core: 4.8.5
- social-auth-app-django: 5.7.0
- django-crispy-forms: 2.6
- oauthlib: 3.3.1
- django_compressor: 4.6.0
- djangorestframework: 3.16.1
- django-filter: 25.2
- django-appconf: 1.2.0
- user-agents: 2.2.0
- filelock: 3.25.0
- RapidFuzz: 3.14.3
- openpyxl: 3.1.5
- celery: 5.6.2
- django-celery-beat: 2.9.0
- kombu: 5.6.2
- translation-finder: 2.24
- weblate-language-data: 2026.3
- html2text: 2025.4.15
- pycairo: 1.29.0
- PyGObject: 3.54.5
- diff-match-patch: 20241021
- requests: 2.32.5
- django-redis: 6.0.0
- hiredis: 3.3.0
- sentry-sdk: 2.54.0
- Cython: 3.2.4
- mistletoe: 1.5.1
- GitPython: 3.1.46
- borgbackup: 1.4.3
- pyparsing: 3.3.2
- ahocorasick_rs: 1.0.3
- charset-normalizer: 3.4.5
- cyrtranslit: 1.2.0
- drf-spectacular: 0.29.0
- Python: 3.14.3
- Git: 2.53.0
- psycopg: 3.3.3
- psycopg-binary: 3.3.3
- phply: 1.2.6
- ruamel.yaml: 0.19.1
- tomlkit: 0.14.0
- tesserocr: 2.10.0
- boto3: 1.42.62
- aeidon: 1.15
- iniparse: 0.5
- mysqlclient: 2.2.8
- google-cloud-translate: 3.24.0
- openai: 2.26.0
- Mercurial: 7.2
- git-svn: 2.53.0
- git-review: 2.5.0
- Redis server: 8.6.1
- PostgreSQL server: 18.3
- Database backends: django.db.backends.postgresql
- PostgreSQL implementation: psycopg3 (binary)
- Cache backends: default:RedisCache, avatar:FileBasedCache
- OS encoding: filesystem=utf-8, default=utf-8, locale=utf-8
- Celery: redis://redis:6379/1, redis://redis:6379/1, regular
- Platform: Linux 6.8.0-87-generic (x86_64)
Weblate deploy checks
System check identified some issues:
INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-5.16.2/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-5.16.2/admin/backup.html
System check identified 2 issues (1 silenced).Additional context
Attention - there IS a similar issue already existing but hasn't received a response in half a year, so I'm not sure if anyone will see my comment there. Feel absolutely free to close this as duplicate at your convenience: #15675
We are seeing an issue with Cloudflare Proxy, even when ajax.cloudflare.com is added to the allowed asset list and directly added to the CSP.
When Rocketloader is configured to be on for the page, the widget doesn't display and there is two errors in the developer console on Chrome:
eco/:805 Executing inline script violates the following Content Security Policy directive 'script-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-fw5EPjRMYVXwiHqKkWxxri4XKKD7tBc4t5CR5bzi+kQ='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
widgets.js:5 Uncaught ReferenceError: $ is not defined
at widgets.js:5:1
Note the given hash changes on every refresh, so it cannot be exempted.
When we disable Rocketloader in the CF panel, the second error with the uncaught reference is gone and the widget does display, but the first error is still in the developer console.
I couldn't figure out how to get Rocketloader working without causing issues - nor how to get the executing inline script error gone with Rocketloader already disabled. (It however is gone when Cloudflare proxy is off completely, which however is not an option for us)
Given this is related to CF, I'm not sure if we're just missing something and this is a simple user error. But rocketloader being able to break widgets, potentially by breaking script execution order afaik is something the software could prevent?