Banking website functionality broken by NoScript even when restrictions are disabled - "call to eval() blocked by CSP" #538
Description
I don't know how easily you can troubleshoot this without an account with Pentagon Federal Credit Union, but hopefully the error messages are sufficient.
About a month ago, PenFed's website partially stopped working. A number of their website components appear to be externally-provided modules, which are now all "blocked by CSP." If I "disable restrictions for this tab," the problem persists, and if I "disable restrictions globally (dangerous)," the problem persists. However, if I disable the NoScript extension itself, the site works fine. There are four modules on the screen after logging in which are all replaced by red text in the form of:
Something went wrong with the "securityAlertPopUp" screen component on the "Security Alert Pop Up" flow. Contact your Salesforce admin about this error. Error in $A.getCallback() [call to eval() blocked by CSP]
In each case, the bolded text is replaced by another module name, but the rest of the text is identical. I've always understood that NoScript sometimes won't work right on a site, but disabling restrictions should resolve that. In this case, there's some residual restriction that isn't being disabled when restrictions are disabled.
I'm running NoScript 13.6.6 in Firefox 148.0.2 (64-bit) in Windows 11