Content Security Policy header blocks AJAX confirmation

I don’t want/need to use nonce.
If I include the Content Security Policy header at all (with any directives including just frame-ancestors), then the notification never appears, I just get the spinning wheel forever. Nothing noteworthy in the log, and admin-ajax.php gets a 200.
If I disable AJAX, then the page refreshes and the notification appears.
I’ve tried all combinations of directives at CSP to allow the AJAX request to complete successfully.
I need to use CSP for frame ancestors and would really like to keep the AJAX behavior.
Using GF 2.8.5.1 and everything else is working fine, just this issue. I am on an older version of WordPress (5.9).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.