It's almost impressive how a major company which specializes in web services can manage to screw web-related things up like they do.
The first thing I noticed on my account a while ago, was the fact that the Speed-tab had changed and that there were now this new Insights section. Well, despite having that garbage disabled on pretty much every site, save for one or two, every domain in my account were now listed as being "auto setup."
This wasn't that much of a problem since it was relatively painless to just mass remove the sites. However, while debugging some minor issues on one of my sites, I notice the browser console complaining about a CSP-related error – specifically a script getting blocked from being loaded. Now, I did update my CSP headers a couple of days prior, but I try to keep third party JS and CSS inclusion as far away from my sites as I can, so it certainly can't have been that. So, as we now know for a fact that it wasn't me who had anything that should trigger a CSP error, anyone care to guess what malware I'd be infected by? Because if I did not include external scripts, it has to have been that I'd gotten infected through something; and I wouldn't be surprised if it was this very site – the sad sacks of shit Ghost developers had probably screwed something up. No one has any guesses? Well, this stray script inclusion pointed towards were...cloudflareinsights.com.
Yeah, despite having removed all sites from their new shitty Insights page, several of my sites turned out to be including scripts from there. Meaning that despite me already having disabled it prior to the update, and now having deleted all completely, again, Cloudflare still injected those scripts.
The fix, knock on wood, seems to be to add all your sites, and untick the automatic injection of the script, opting to manually install in on your site, then (obviously) simply not add this piece of malware to any of my pages.