CF-Hash attribute and script mysteriously added to mailto links

Question

I have a development site and production site:

I have a mailto email link at the bottom, the php source code is ex

Answer 1

Cloudflare hides the email address to prevent bots from scraping them from web pages.

If you are a normal web user rather than a bot you will be running JavaScript. Cloudflare inject JavaScript which unscrambles the email addresess.

Some web pages wont allow inline JavaScript to run and thus end users cant see the email addresses.

Consider varying the Content_Security-Policy meta tag emitted by the website to allow the running of inline JavaScript.

e.g. see use of 'unsafe-inline';

"As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example."

More useful information on this here : https://developer.chrome.com/extensions/contentSecurityPolicy