Hi @rmlumley, and sorry for not answering earlier. Turns out I forgot to subscribe to notifications here, so I didn’t see your message.
This is probably not the best place to ask about general CSP help, but I will try to explain what I think could be happening nonetheless. For a more in-depth explanation you would have to ask someone more familiar with the specifics of CSP.
The front page includes the following HTML snippet:
<link rel="next" href="https://morgridge.org/page/2/">
(This is not uncommon for sites, it just tells the browser the URL of the next page.)
I believe it is possible that Firefox is doing something like prefetching or preconnecting to this page, to improve load time if the user clicks the “next” link at the bottom of the page. (You don’t seem to actually have a next link, so I’m not sure why the link rel=”next” is added at all.)
This preconnecting (or whatever it is) would need to be allowed in the CSP, in the relevant directive. Since the correct directive is not set, it falls back to default-src, which I assume does not contain anything that would allow that connection.
I am not entirely sure what Firefox is doing here, but it is clear that it treats the link rel=”next” tag different from other browsers. It is probably not a major problem, but adding ‘self’ to either default-src or the relevant more specific directive (which I suspect might be connect-src, but haven’t confirmed) should make the error go away.
– Patrick Sletvold