pyllyukko
Apple Login doesn’t work because of Content security policy?
When trying to login / load the page privacy.apple.com there is an error message appearing.
See: https://i.imgur.com/NByv2q9.jpg
Console says: Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).. It seems like Firefox is doing what https://privacy.apple.com/ instructed it to do. The offending site is idmsa.apple.com.
No, wait... :thinking: If you toggle network.http.referer.spoofSource it will work.
I'm having this type of issue, too. The main Apple logins (eg icloud.com) do indeed work OK once network.http.referer.spoofSource is disabled, but I can't log in to Apple Music without getting an error saying Blocked by X-Frame-Options Policy.
If I restart FF in safe mode I still get the error (i.e. it's not an addon), but if I launch a new profile I can load the login just fine. Any ideas please?
Edit: My apologies, it seems it was caused by a remnant from my ghacks prefs, namely user_pref("security.ssl.require_safe_negotiation", true);. Once I commented that line (with a wipe of prefs.js each restart to test) the page loads the login normally. Rather than delete this I'll leave it in case someone finds it via search (as I did) when the have the same issue.
If you toggle network.http.referer.spoofSource it will work.
Then I think https://github.com/pyllyukko/user.js/pull/491 fixes this, network.http.referer.spoofSource is now false by default. I used to have the same problem.
I can confirm that this issue is still open with 78.8.0esr (64-bit) and d6ce4ebf9e30e846b9e383384f7a20d121fb4030 with error "The loading of “https://idmsa.apple.com/..snip..” in a frame is denied by “X-Frame-Options“ directive set to “DENY“.
