csp updates (cloudflare#26547)

Author: patriciasantaana

src/content/docs/bots/get-started/bot-fight-mode.mdx

@@ -9,7 +9,7 @@ head:
 
 ---
 
-import { Tabs, TabItem, Steps, Render, DashButton } from '~/components';
+import { Tabs, TabItem, Steps, Render, DashButton, GlossaryTooltip } from '~/components';
 
 Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on your domain. When enabled, the product:
 
@@ -98,6 +98,21 @@ You can see bot-related actions by going to **Security** > **Events**. Any reque
 
 ## Limitations
 
+### Rules
+
 You cannot bypass or skip Bot Fight Mode using the _Skip_ action in WAF custom rules or using Page Rules. _Skip_, _Bypass_, and _Allow_ actions apply to rules or rulesets running on the [Ruleset Engine](/ruleset-engine/). While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using [Super Bot Fight Mode](/bots/get-started/super-bot-fight-mode/).
 
 Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP.
+
+### JavaScript Detections
+
+<Render 
+  file="jsd-availability" 
+  product="bots" 
+  params={{ 
+    planType: "Bot Fight Mode",
+    enablement: "automatically enabled and cannot be disabled" 
+    }} 
+/>
+
+<Render file="content-security-policy-limitation" product="bots" />

src/content/docs/cloudflare-challenges/challenge-types/javascript-detections.mdx

@@ -40,9 +40,23 @@ Refer to the steps below to enable and enforce JavaScript Detections.
 
 ## 1. Enable JavaScript Detections
 
-For Bot Fight Mode customers, JavaScript Detections is automatically enabled and cannot be disabled.
-
-For Super Bot Fight Mode and Bot Management for Enterprise customers, JavaScript Detections is optional.
+<Render 
+  file="jsd-availability" 
+  product="bots" 
+  params={{ 
+    planType: "Bot Fight Mode",
+    enablement: "automatically enabled and cannot be disabled" 
+    }} 
+/>
+
+<Render 
+  file="jsd-availability" 
+  product="bots" 
+  params={{ 
+    planType: "Super Bot Fight Mode and Bot Management for Enterprise",
+    enablement: "optional" 
+    }} 
+/>
 
 <Render file="javascript-detections-enable" product="cloudflare-challenges" />
 
@@ -140,18 +154,7 @@ Subsequent requests can include a `cf_clearance` cookie if JavaScript ran succes
 
 ### If you have a Content Security Policy (CSP)
 
-If you have a <GlossaryTooltip term="content security policy (CSP)">Content Security Policy (CSP)</GlossaryTooltip>, you need to take additional steps to implement JavaScript Detections:
-
-- Ensure that anything under `/cdn-cgi/challenge-platform/` is allowed. Your CSP should allow scripts served from your origin domain (`script-src self`).
-- For `nonce` script tags:
-  - If your CSP uses a `nonce` for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
-
-  - If your CSP does not use `nonce` for script tags and **JavaScript Detections** is enabled, you may see a console error such as `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.` We highly discourage the use of `unsafe-inline` and instead recommend the use CSP `nonces` in script tags which we parse and support in our CDN.
-
-:::caution[Warning]
-
-JavaScript Detections is not supported with `nonce` set via `<meta>` tags.
-:::
+<Render file="content-security-policy-limitation" product="bots" />
 
 ### If you have ETags
 

src/content/partials/bots/content-security-policy-limitation.mdx

@@ -0,0 +1,19 @@
+---
+{}
+
+---
+
+import { GlossaryTooltip } from '~/components';
+
+If you have a <GlossaryTooltip term="content security policy (CSP)">Content Security Policy (CSP)</GlossaryTooltip>, you need to take additional steps to implement JavaScript Detections:
+
+- Ensure that anything under `/cdn-cgi/challenge-platform/` is allowed. Your CSP should allow scripts served from your origin domain (`script-src self`).
+- For `nonce` script tags:
+  - If your CSP uses a `nonce` for script tags, Cloudflare will add these nonces to the scripts it injects by parsing your CSP response header.
+
+  - If your CSP does not use `nonce` for script tags and **JavaScript Detections** is enabled, you may see a console error such as `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-b123b8a70+4jEj+d6gWI9U6IilUJIrlnRJbRR/uQl2Jc='), or a nonce ('nonce-...') is required to enable inline execution.` We highly discourage the use of `unsafe-inline` and instead recommend the use CSP `nonces` in script tags which we parse and support in our CDN.
+
+:::caution[Warning]
+
+JavaScript Detections is not supported with `nonce` set via `<meta>` tags.
+:::

src/content/partials/bots/jsd-availability.mdx

@@ -0,0 +1,6 @@
+---
+inputParameters: planType;;enablement
+
+---
+
+For {props.planType} customers, [JavaScript Detections](/cloudflare-challenges/challenge-types/javascript-detections/) is {props.enablement}.