Firefox Reporting Disqus Hosts as Missing from default-src

Published: April 13, 2020

Tags:

I recently set up a Content Security Policy (CSP) on this website.

My site uses Disqus, so my Content-Security-Policy had their domains whitelisted something like this:

default-src
  'self';

script-src
  'self'
  c.disquscdn.com
  ...;

However, after deploying the Content-Security-Policy I noticed I was getting reports like this, specifically from Firefox:

{
    "csp-report": {
        "blocked-uri": "https://c.disquscdn.com/next/embed/lounge.bundle.66651ad59b7dd01c893000c33250bd93.js",
        "document-uri": "https://maxchadwick.xyz/blog/concatenate-a-string-and-an-int-in-go",
        "original-policy": "default-src 'self'; script-src 'self' https://c.disquscdn.com ...",
        "violated-directive": "default-src"
    }
}

As you can see, the blocked-uri is a .js file loaded from c.disquscdn.com which is clearly whitelisted under the script-src directive. Why would Firefox complain about this?

After a bit of research I found this piece of information in an article titled “Implementing Content Security Policy” published on hacks.mozilla.org.

If you rely on prefetching, you might encounter problems with default-src ‘none’. On AMO, we discovered that browser prefetching in Firefox will not be identified as a specific content type, therefore falling back to default-src. If default-src doesn’t cover the origin involved, the prefetched resource will be blocked. There’s a bug open with additional information on this issue.

https://hacks.mozilla.org/2016/02/implementing-content-security-policy/

I checked the document and lo and behold Disqus had appended a <link rel="prefetch"> for the asset in question.

Screenshot of HTML document showing Disqus prefetch link tag

In my case I decided to update default-src to additionally include these hosts. As I’ve already put my trust in them by whitelisting them under script-src I don’t see any additional danger to doing this (not to mention the fact that there doesn’t appear to be any other alternative, other than just ignoring the reports).

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

If you'd like to get in touch with me the best way is on Twitter.