CSP errors in Firefox #1529

New Issue

MrUnknownDE · 2026-04-06T01:59:01+02:00

MrUnknownDE commented

2026-04-06 01:59:01 +02:00

Originally created by @otbutz on 7/18/2023

Subject of the issue

Firefox logs the following errors to its developer console:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:22:29
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:41:35

This does not happen in Chrome.

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.29.0
Web-vault version: v2023.5.0
OS/Arch: linux/x86_64
Running within Docker: true (Base: Debian)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true

Steps to reproduce

Open the login page with Firefox and check the console output.

Expected behaviour

No errors should be logged.

Troubleshooting data

content-security-policy header as logged by Firefox:

default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/ ;

*Originally created by @otbutz on 7/18/2023* ### Subject of the issue Firefox logs the following errors to its developer console: ``` Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:22:29 Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:41:35 ``` This does **not** happen in Chrome. ### Deployment environment Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.0 * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true ### Steps to reproduce Open the login page with Firefox and check the console output. ### Expected behaviour No errors should be logged. ## Troubleshooting data `content-security-policy` header as logged by Firefox: ``` default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/ ; ```

MrUnknownDE closed this issue

2026-04-06 01:59:01 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1529