I can't find a way to deal with this problem, as no errors are being generated, either in logs or in the browser console.
I have what seems to be a good system to generate random nonces for the CSP header, and it shows as a match when viewing the page source, but the js scripts are not working. There is nothing in the browser console giving the typical "Refused to load because it violates the following Content Security Policy directive" errors for any of the scripts. Nothing in the error logs for the site give any hints.
This is for a custom PHP website (not Wordpress, etc) on an Nginx server. I am using a method described here to generate the random nonces and place them in the CSP header and in the script tags, and it works great, they match with every page load. So what could possibly be the reason the scripts won't work? They work fine with a permissive CSP.
I have the permissive CSP live now so the site works properly, but you can see the nonces being generated in the script tags if you look at the page source of the site here. The nonce is not in the CSP header at the moment, but it was working fine.
I welcome any ideas on how to troubleshoot this problem. Thanks!
It seems the problem was Cloudflare's "Rocket Loader," which is designed to "Improve the paint time for pages which include JavaScript," but was in fact interfering with the JS, but only when a nonce was being used, for some reason.