Firefox Reporting Disqus Hosts as Missing from default-src

Published: April 13, 2020


I recently set up a Content Security Policy (CSP) on this website.

My site uses Disqus, so my Content-Security-Policy had their domains whitelisted something like this:



However, after deploying the Content-Security-Policy I noticed I was getting reports like this, specifically from Firefox:

    "csp-report": {
        "blocked-uri": "",
        "document-uri": "",
        "original-policy": "default-src 'self'; script-src 'self' ...",
        "violated-directive": "default-src"

As you can see, the blocked-uri is a .js file loaded from which is clearly whitelisted under the script-src directive. Why would Firefox complain about this?

After a bit of research I found this piece of information in an article titled “Implementing Content Security Policy” published on

If you rely on prefetching, you might encounter problems with default-src ‘none’. On AMO, we discovered that browser prefetching in Firefox will not be identified as a specific content type, therefore falling back to default-src. If default-src doesn’t cover the origin involved, the prefetched resource will be blocked. There’s a bug open with additional information on this issue.

I checked the document and lo and behold Disqus had appended a <link rel="prefetch"> for the asset in question.

Screenshot of HTML document showing Disqus prefetch link tag

In my case I decided to update default-src to additionally include these hosts. As I’ve already put my trust in them by whitelisting them under script-src I don’t see any additional danger to doing this (not to mention the fact that there doesn’t appear to be any other alternative, other than just ignoring the reports).

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Rightpoint where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.