Content Security Policy blocking external script
I am experiencing an issue when accessing my website using Firefox on Mac.
The browser blocks the loading of an external Google Adsense script, logging the following error: "Content Security Policy: The page's settings blocked the loading of a resource". Here is an example URL:
To my understanding, the site does not have a Content Security Policy ('CSP'). We don't send a CSP network header or in the HTML, so am at a bit of a loss as to how I debug this.
I don't see the same issue using Firefox on Windows, or with Chrome, Edge or Safari. I have performed a fresh install of Firefox on my Mac to make sure no extensions are causing the issue.
Other websites seem to be running the same AdSense code okay.
Any suggestions would be greatly appreciated.
Many thanks, Matt
All Replies (5)
That data is probably blocked by ETP.
Firefox shows a purple shield instead of a gray shield at the left end of the location/address bar in case Enhanced Tracking Protection is blocking content.
- click the shield icon for more detail and possibly disable the protection
You can check the Web Console for relevant-looking messages about blocked content.
Thanks for responding to my problem.
I have just tried the site with ETP turned off and am still seeing the scripts blocked on Firefox for Mac due to CSP violations - I don't see this on Firefox for Windows with ETP on or off.
I have attached a screenshot of the network and console log on Mac to show the difference. I have turned ETP off so the beacon tracking requests are allowed.
Many thanks, Matt
For me that item is blocked by ETP and get a crossed shield with ETP disabled.
The script doesn't look blocked in your latest screenshot - it is the third last item (120kb script from domain pagead2... with a file name 'show_ads_...'. This script is only blocked on Firefox for Mac browsers from my tests.
The request that is being blocked in your screenshot is a tracking request -- this is fine as it doesn't break the site functionality (but blocked the script does affect site functionality).
What I meant to show is that the two pagead2 you mention have the shield. I'm not sure why there is still one left as blocked by tracking when ETP is disabled via the shield. Firefox can replace some tracking related files by shimmed versions that have limited effect (i.e. they let the caller believe that it worked successful).