1. Go to https://www.mollysastrology.com 2. Check the HTTP Response The value for HTTP Response HTTP/2 200 OK date: Thu, 03 Mar 2022 11:40:47 GMT content-type: text/html; charset=UTF-8 content-length: 20900 cache-control: public, max-age=0 expires: Thu, 03 Mar 2022 11:40:47 GMT last-modified: Wed, 02 Mar 2022 19:10:07 GMT accept-ranges: bytes content-encoding: gzip vary: Accept-Encoding wpx: 1 strict-transport-security: max-age=31536000; includeSubDomains x-xss-protection: 1; mode=block content-security-policy: default-src �self�; alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" x-turbo-charged-by: LiteSpeed x-edge-location: WPX CLOUD/TYO02 server: WPX CLOUD/TYO02 x-cache-status: MISS X-Firefox-Spdy: h2 Check this specific Header. content-security-policy: default-src �self�; Expected: This is to be determined. Actual: Currently Safari Tech Preview and Edge Blink Canary do not have any issues with it. Firefox bails out on all subsequent resources and displays only the HTML page (without JS and CSS). Note: This probably requires to dig into the specification and determine 1. what the spec says 2. what is the best course of actions. Change the spec or align the implementations of Gecko, Blink and WebKit Basically this creates a Webcompat issue https://github.com/webcompat/web-bugs/issues/100417
Opened on https://bugs.webkit.org/show_bug.cgi?id=237419 https://bugzilla.mozilla.org/show_bug.cgi?id=1757913 https://bugs.chromium.org/p/chromium/issues/detail?id=1302617
So this is already a known bug on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=1570722 And it was discussed on https://github.com/w3c/webappsec-csp/issues/473 The behavior of Blink and WebKit is right.