"Content-Security-Policy" with CloudFlare persists in version 14 (Beta)

[ykcab]

with DNS behind cloudflare, the same issue of "Content-Security-Policy" is again present in version 14 Beta.
-->

Steps to reproduce

1. have your domain on Cloudflare
2. when you go to your browser: hxxps://your[.]domain[.]com, for the first time you will be able to configure/finish the installation but after the initial setup you will, the login button has no effect at all.
3. login with you local IP (internal lan/wifi), no issue

Actual behavior

see attached image and similarly to this previous version issue (#4840)

Server configuration

Operating system:
Debian Stretch 9
Web server:
NGINX 1.12
Database:
MariaDB
PHP version:
PHP7.0
Nextcloud version: (see Nextcloud admin page)
Nextcloud Beta 1
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh Installation
Where did you install Nextcloud from:
Official nextcloud web page

this image show the problem

[nextcloud-bot]

GitMate.io thinks possibly related issues are #4840 ("Content-Security-Policy" with CloudFlare), #10495 (14 Beta 2), #6018 (nextcloud Content-Security-Policy problem), #5873 (Content Security Policy Headers and multiple trusted_domains), and #9297 (How to disable the Content Security Policy ?).

[rullzer]

As stated in #4840 this is indeed unsupported and will most likely break.

On top of that this means that cloudflare can do MITM attacks as you allow it to rewrite your html.

[ykcab]

@rullzer Cloudflare is a legitimate CDN service, why would you flag them to impersonate with MITM attack?

[rullzer]

I'm not saying they are doing it. I'm saying they can do it in your setup. Which is something you should not want with your data.

[kesselb]

As stated in #4840 this is indeed unsupported and will most likely break.