Refused to Execute a Script on Safari

Forge app loads normally on Chrome, Mozilla, Edge, Opera browsers but i get “Refused to Execute a Script” and failed to load resource error on Safari browser. My manifest.yml and index.html are as follows;


      - unsafe-inline
      - unsafe-eval
      - unsafe-inline


      content="sandbox allow-popups; img-src * 'self' data: https:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; connect-src 'self' http://localhost:8002"

I tried to delete meta tag and deploy but it didn’t work as well.

What could be the problem of this?

Error to load resource


What script are you trying to run here that is being blocked?

Note that we serve all custom UI files with a Content-Security-Policy header.

In your second message, that error is for a sourcemap file, and is expected as we do not deploy the sourceMap file. However, this does not have any effect on the execution of your app otherwise.


I get error on this script.

I’m seeing something similar on the app I building. It’s a jira:customFieldType, the view, using CustomField, loads fine, the Edit modal, which is React using atlaskit, throws these errors:

It works in other browsers. As another data point, it doesn’t work in Brave with “Shields Up” (default privacy settings), but does with “Shields Down”.

One more data point, it works in Safari when using a static deploy via forge deploy but not with forge tunnel. Likewise for Brave with Shields up.

I also get the ; The page at about:blank was not allowed to display insecure content from http://localhost:8001/

It shows this with forge deploy and forge tunnel.

Hi @Spike , @KaanKrolu

In summary:

  1. For deployed custom UI apps, in Safari and Brave (shields up or down), apps work without issue.
  2. For tunneled custom UI apps, in Safari and Brave (shields up), apps do not work.

For Brave, as a workaround, you can use “shields down”, or specify “Allow all trackers & ads”.

For Safari, there is no workaround as the option to view “mixed content” is not available. In this case, the host app ( is trying to show an insecure (http://localhost:8***) frame. You can try use a different browser for tunnelling.

I’ve created this ticket for us to consider serving tunnelled custom UI apps over HTTPS which I believe should avoid this issue. [FRGE-689] - Ecosystem Jira


Can you confirm that even with your tunnel closed, the page is attempting to fetch from localhost:8001? There shouldn’t be any requests to localhost if your app is not currently being tunnelled.