XHR requests fail due to missing headers
Tested on Firefox Nightly 62.0a1 (2018-05-26) with a new profile and only Decentraleyes 2.0.3
Scenario
Open https://www.airtransat.com/ (will add location-based query parameters)
Expected
Site is functional and looks like this:
Actual
Site is broken:
- Buttons, hamburger menu don't work
- Some content fails to load:
Injected resources (copied from Decentraleyes panel)
- airtransat.com
- 3CDNJS (Cloudflare) - jQuery UI v1.11.2 - jQuery v1.11.1 - Modernizr v2.8.2
Browser console logs for Decentraleyes and airtransat.com
unreachable code after return statement _Incapsula_Resource:1:33406
unreachable code after return statement _Incapsula_Resource:1:38669
unreachable code after return statement _Incapsula_Resource:1:38669
unreachable code after return statement _Incapsula_Resource:1:32568
unreachable code after return statement _Incapsula_Resource:1:37240
unreachable code after return statement _Incapsula_Resource:1:37240
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.2/jquery-ui.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.2/modernizr.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.2/jquery-ui.min.js. (Reason: CORS request did not succeed).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js. (Reason: CORS request did not succeed).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.2/modernizr.min.js. (Reason: CORS request did not succeed).
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
The resource at “https://www.googletagservices.com/tag/js/gpt.js” was blocked because tracking protection is enabled.[Learn More] www.airtransat.com
The resource at “https://www.googletagmanager.com/gtm.js?id=GTM-TRRZL6” was blocked because tracking protection is enabled.[Learn More] www.airtransat.com
Loading failed for the <script> with source “https://www.googletagmanager.com/gtm.js?id=GTM-TRRZL6”. www.airtransat.com:1
The resource at “https://www.googletagservices.com/tag/js/gpt.js” was blocked because tracking protection is enabled.[Learn More] www.airtransat.com
Loading failed for the <script> with source “https://www.googletagservices.com/tag/js/gpt.js”. www.airtransat.com:101
unreachable code after return statement _Incapsula_Resource:1:36991
unreachable code after return statement _Incapsula_Resource:1:35966
unreachable code after return statement _Incapsula_Resource:1:38064
unreachable code after return statement _Incapsula_Resource:1:38064