Enforcing recorded CSP breaks page

[TotallyInformation]

My blog site is currently using a Google custom site search:

https://it.knightnet.org.uk/about/search/

When I record this page and then turn on the "enforce policy" setting, the search components no longer load.

Oddly, I was checking the FF version and it needed a restart. When restarted with the enforce policy switch still on, it worked but stopped working again when I reloaded.

FF Aurora 62.0b11 (64-bit) on Windows 10.

Generated CSP is:

 default-src 'none'; frame-src https://cse.google.com https://disqus.com; img-src https://c.disquscdn.com https://clients1.google.com https://d33wubrfki0l68.cloudfront.net https://encrypted-tbn0.gstatic.com https://encrypted-tbn3.gstatic.com https://referrer.disqus.com https://ssl.gstatic.com https://stackexchange.com https://www.google.com https://www.googleapis.com; script-src 'self' https://cse.google.com/adsense/search/async-ads.js https://cse.google.com/cse.js https://muchadoaboutit.disqus.com/embed.js https://www.google.com/jsapi https://www.google.com/uds/api/search/1.0/4aa0772189af4c17ea7ec181af2bca15/default+en.I.js https://www.googleapis.com/customsearch/v1element moz-extension://780facd2-0f47-4ff4-baed-88b8605a8470/_generated_background_page.html; style-src 'self' https://www.google.com/cse/static/style/look/v2/ https://www.google.com/uds/api/search/1.0/4aa0772189af4c17ea7ec181af2bca15/ moz-extension://780facd2-0f47-4ff4-baed-88b8605a8470/ 

[april]

Huh, interesting. I'll take a look at it. Thanks!

[april]

This was due to a change here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1236222

I've fixed half of this. The other half is that your search uses 'unsafe-eval', something my code can't directly detect, but if you copy and add it to a custom CSP, it should work great.

[TotallyInformation]

Thanks April, I will try that out.