[GH-ISSUE #3706] CSP errors in Firefox #1648

New issue

Closed

opened 2026-03-03 02:10:56 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 02:10:56 +03:00

Owner

Originally created by @otbutz on GitHub (Jul 18, 2023).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3706

Subject of the issue

Firefox logs the following errors to its developer console:

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:22:29
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:41:35

This does not happen in Chrome.

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.29.0
Web-vault version: v2023.5.0
OS/Arch: linux/x86_64
Running within Docker: true (Base: Debian)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Forwarded-For)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true

Steps to reproduce

Open the login page with Firefox and check the console output.

Expected behaviour

No errors should be logged.

Troubleshooting data

content-security-policy header as logged by Firefox:

default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/ ;

Originally created by @otbutz on GitHub (Jul 18, 2023). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/3706 ### Subject of the issue Firefox logs the following errors to its developer console: ``` Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:22:29 Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). inject.js:41:35 ``` This does **not** happen in Chrome. ### Deployment environment Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.0 * Web-vault version: v2023.5.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Forwarded-For) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true ### Steps to reproduce Open the login page with Firefox and check the console output. ### Expected behaviour No errors should be logged. ## Troubleshooting data `content-security-policy` header as logged by Firefox: ``` default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/ ; ```

kerem closed this issue

2026-03-03 02:10:56 +03:00

kerem commented

2026-03-03 02:10:57 +03:00

Author

Owner

@stefan0xC commented on GitHub (Jul 18, 2023):

Sounds like there are scripts added to your site which Firefox correctly blocks. What extensions/hosting provider are you using?

@stefan0xC commented on GitHub (Jul 18, 2023): Sounds like there are scripts added to your site which Firefox _correctly_ blocks. What extensions/hosting provider are you using?

kerem commented

2026-03-03 02:10:57 +03:00

Author

Owner

@otbutz commented on GitHub (Jul 18, 2023):

Thanks for the tip! Disabling all extensions got rid of the errors. I traced it back to the User-Agent Switcher extension.

Sorry for the noise.

@otbutz commented on GitHub (Jul 18, 2023): Thanks for the tip! Disabling all extensions got rid of the errors. I traced it back to the User-Agent Switcher extension. Sorry for the noise.