"Blocked by content security policy" issue on Apple Forum

[Smokey20]

I use DDG and find discussions at Apple forums on whatever problem I am having with my iPhone10R or my iWatch 5. I read the discussion and want to add a reply. I click to log into Apple forums and I get a page saying "Blocked by Content Security Policy".

It is irritating because if I have to go to Apple Support and then login, I will lose connection to the thread I was reading in Apple forums. I should be able to login to the forums directly from the forum thread by clicking login. Instead, I get a page saying Blocked by Content Security Policy.

If I switch to a Chrome based browser (yuck) like Brave, when I click to login into the Apple forums when reading a thread in the forums, I get the Apple Forums login page not a page saying Blocked by Content Security Policy. How do I fix Basilisk so I can login to Apple forums directly from the Apple forums and NOT from support.apple.com? Why do Chrome based browsers work ok but not Fx based ones? Basilisk is my default browser since Basilisk was first offered (when I had no Apple products) but this is irritating.

I have Windows computers, but also have an iPhone 10R and a six month old iWatch 5 so I need Windows stuff (browsers and otherwise) to work properly with my Apple products.

[Moonchild]

You likely get this because your browser of choice is being discriminated against. Simple as that.

(and once again there is nothing for us to look at if there is no URL given to a problematic site, with over 150 posts on this forum you really really REALLY should know this by now.)

[Smokey20]

Sorry. You are right. I should have provided screenshots or urls, etc.

I was getting the same response on Fx 60.8 ESR but I didn't try it again yesterday before posting here. I tried it just now and Apple has changed something because the login link (upper left side of the page when reading a thread in the forum) is completely unresponsive now on Fx 60.8 ESR. So, still using Fx 60.8 ESR, I tried clicking on the midpage link to ask a new question on the same subject. With Fx, that got me a login popup which works.

Thursday, May 21, 2020 21;59;30001.png

On Basilisk trying that gets me the same "Blocked by Content Security" that I get on Basilisk when I click on the login link while in the forum.

here's the url:
https://discussions.apple.com/thread/8040358

Here's some screenshots:

Thursday, May 21, 2020 21;11;41001.png

Thursday, May 21, 2020 21;12;46001.png

[Moonchild]

Unable to reproduce on either Basilisk or Pale Moon. In both cases the login just shows up.
I'm also not sure why there is an outright block instead of just throwing errors in the console; did you change any CSP preferences?

[adesh]

Just to add one more vote -- not able to reproduce.

I'm on Mac and I tried both with Basilisk and Pale Moon (Native UA) and was successfully able to see the login page.

[badnick]

Is working here. Clicking on the link which you indicated I get the login window.

[Smokey20]

Thanks everyone for chiming in!

I tried Basilisk in Safe Mode and still have the problem so that should rule out some extension as a culprit.

I just put security.csp.enable; and security.csp.enableStrictDynamic; in about:config to "false" temporarily to see if that made a difference. (I didn't close and restart Basilisk as I have at least 100 tabs open currently. Should I have)? It had the effect of making that page saying "blocked by content security" NOT appear. But I still had a problem as I simply got a blank page with a grayed out activity icon in the middle as though the browser was trying to load the page now that I disabled those two about:config entries but it couldn't.

Friday, May 22, 2020 00;16;10001.png

Are there any CSP preferences besides the two I mentioned in the above paragraph that I can check to see if I changed them and have forgotten?

[adesh]

Try a fresh profile. Maybe you have changed some preferences which are causing this.

[Moonchild]

Can you please check the web console for any particular errors you get?
Open up the page, open the web console, press the trash can, then try to click the link and check for errors in the console.

[therube]

Maybe (exacerbated by) a cookie or cache issue?

[Smokey20]

(Sorry, today was very busy and I couldn't do this until near midnight now).

Just going to that webpage then clicking the trashcan in web console and then refreshing that page gets this:

reflow: 4ms
reflow: 4ms
reflow: 0ms
reflow: 0ms function [164]</u._invalidateStyles, ac-globalnav.built.js line 3
reflow: 0ms function [164]</u._invalidateStyles, ac-globalnav.built.js line 3
reflow: 0ms function ye/e<, dtml.js line 1
reflow: 0ms function ye/e<, dtml.js line 1
Use of Mutation Events is deprecated. Use MutationObserver instead.
index.js:8:30800
Strict-Transport-Security: The site specified a header that could not be parsed successfully.[Learn More]
suggestions
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.apple.com/search-services/suggestions/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
(unknown)

Then if use trash can to clear above and then click on the link on the page to start a new thread I get this:

The resource from “https://www.apple.com/wss/fonts?familie ... o+Icons,v1” was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).
signin
The resource from “https://www.apple.com/wss/fonts?familie ... o+Icons,v1” was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).
signin
reflow: 2ms
reflow: 2ms
reflow: 0ms function [162]</u._invalidateStyles, ac-globalnav.built.js line 3
reflow: 0ms
reflow: 0ms
reflow: 0ms
reflow: 0ms function getThumbnailImageURI, thumbnail-utils.js line 85
reflow: 0ms
reflow: 0ms
Load denied by X-Frame-Options: https://discussions.apple.com/ does not permit framing by https://idmsa.apple.com/IDMSWebAuth/sig ... edf56&rv=1.
(unknown)
reflow: 0ms function [162]</u._invalidateStyles, ac-globalnav.built.js line 3
reflow: 0ms
reflow: 0ms
reflow: 0ms function [162]</u._invalidateStyles, ac-globalnav.built.js line 3

[Smokey20]

Maybe (exacerbated by) a cookie or cache issue?

In many instances, I would suspect a possible cookie problem but for Apple.com I told Cookie Controller a long time ago to allow ALL cookies (except third party that I deny globally in Basilisk under Custom Settings for Privacy/History). I have a lot of Apple cookies.

As for cache, I do not allow cache in browsers that allow me to manipulate that setting (one reason I don't use Vivaldi much is that it still does not allow for 0 cache to be set). I have fast broadband and don't need cache.

[Moonchild]

Why do you have reflow debugging enabled? Have you been messing with settings in about:config you didn't know what they do?
I'm guessing other preferences you've touched may be causing this particular problem.

I suggest resetting all preferences to Pale Moon defaults at this point:

1. Go to Help -> Restart in Safe Mode
2. In the recovery window, check the box "Reset all preferences to Pale Moon defaults"
3. Click "Make changes and restart"

Then try again.

[Smokey20]

I have no idea why reflow debugging is enabled. I have never heard of it and certainly did not enable it in about:config. Is it this?

layout.interruptible-reflow.enabled;true

I just switched to my Windows 8.0 Pro computer and started Basilisk. I don't use this computer a lot because I have to share one monitor with both computers and that doesn't work too well when switching back and forth (and it is not safe for some things like banking since it is NOT 8.1). I have Basilisk version 2020.3.11 installed. I don't get the "blocked by content security policy" error on it. However, I don't know if that is because it is an OLDER version of Basilisk installed or because it is the far superior Windows 8. (I would not be surprised if the problem on my Windows 10 computer has something to do with Windows 10 1809 that I am currently on. I don't recall the problem on Windows 10 1803).

[Moonchild]

Is it this?

no.

And no it won't have anything to do with which version of windows you are running.
Did you try following the steps to reset preferences?

[Smokey20]

I did update Basilisk on Windows 8.0 Pro just now and I have no problems with accessing Apple login but "signin" in the upper left corner under "Communities" does nothing when I click on it. But clicking on the link in the center of the page to start a new thread does work properly.

No, I did not reset Basilisk and I won't. I'll just use another browser when I need Apple (or use my Windows 8 Pro computer more which I should anyway since it far superior to the newer computer with the crappy Windows 10 nightmare that never ends). I'll have to keep at least two browsers running at all times when on Windows 10...I usually do that anyway. Resetting Basilisk (or any of the browsers that I have and have configured to my liking) would be a nightmare. The reason I like Basilisk so much is that it is highly configurable ...like Fx used to be and lets me use my favorite XUL extensions (which Pale Moon doesn't).

To fix one problem is overkill to reset any browser than has a lot of configured settings. If you do that, it takes way, way too much time to reconfigure it. Thanks though for your suggestions.

[Moonchild]

No, I did not reset Basilisk and I won't.

Noted. If you don't know why you alone have this problem and refuse to follow simple steps to narrow down this problem then you are going to be alone with your problems.

[moonbat]

and lets me use my favorite XUL extensions (which Pale Moon doesn't).

You must mean bootstrap extensions. Pure XUL/overlay extensions run fine in Pale Moon, and usually the last version of a popular extension tends to have been targeted to later versions of Firefox that were transitioning to multiprocess, so the older versions work great with Pale Moon. Of course, with your attitude, more likely you wouldn't bother trying to find out.

[Moonchild]

You must mean bootstrap extensions.

Probably jetpack extensions aiming at CustomizableUI.

[moonbat]

Off-topic:

Probably jetpack extensions aiming at CustomizableUI.

Ah, thought they were the same thing, seeing as I saw a bootstrap.js in both kinds. They don't play well with the toolbar is what I've observed.