Apple Login doesn’t work because of Content security policy?

[github-userx]

When trying to login / load the page privacy.apple.com there is an error message appearing.

See: https://i.imgur.com/NByv2q9.jpg

[pyllyukko]

Console says: Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).. It seems like Firefox is doing what https://privacy.apple.com/ instructed it to do. The offending site is idmsa.apple.com.

No, wait... 🤔 If you toggle network.http.referer.spoofSource it will work.

[RainmakerRaw]

I'm having this type of issue, too. The main Apple logins (eg icloud.com) do indeed work OK once network.http.referer.spoofSource is disabled, but I can't log in to Apple Music without getting an error saying Blocked by X-Frame-Options Policy.
If I restart FF in safe mode I still get the error (i.e. it's not an addon), but if I launch a new profile I can load the login just fine. Any ideas please?
Edit: My apologies, it seems it was caused by a remnant from my ghacks prefs, namely user_pref("security.ssl.require_safe_negotiation", true);. Once I commented that line (with a wipe of prefs.js each restart to test) the page loads the login normally. Rather than delete this I'll leave it in case someone finds it via search (as I did) when the have the same issue.

[nodiscc]

If you toggle network.http.referer.spoofSource it will work.

Then I think #491 fixes this, network.http.referer.spoofSource is now false by default. I used to have the same problem.

[fgeek]

I can confirm that this issue is still open with 78.8.0esr (64-bit) and d6ce4eb with error "The loading of “https://idmsa.apple.com/..snip..” in a frame is denied by “X-Frame-Options“ directive set to “DENY“.