CSP error: The page’s settings blocked a JavaScript eval (script-src) from being executed #1268
Description
Navigating to a self-hosted nitter instance, I can see following error in browser console:
Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'self' 'unsafe-inline'” (Missing 'unsafe-eval')
Source: HTMLElement.prototype.focus = ((realFocu…
Cannot identify anything being broken, but surely that error shouldn't be there.
Response headers for / request:
HTTP/2 200
server: nginx
date: Mon, 23 Jun 2025 15:45:35 GMT
content-type: text/html;charset=utf-8
vary: Accept-Encoding
strict-transport-security: max-age=63072000; includeSubDomains; preload
cache-control: no-transform
permissions-policy: interest-cohort=()
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-ua-compatible: IE=Edge
x-xss-protection: 1; mode=block
x-robots-tag: noindex, nofollow, nosnippet, noarchive
content-security-policy: upgrade-insecure-requests; frame-ancestors 'self', default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob: video.twimg.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'
content-encoding: gzip
X-Firefox-Spdy: h2
Running firefox 139.0.4