About Neocities' new stricter Content Security Policy

Hotlinking is not dead

Around the start of this year, Neocities introduced a new stricter Content Security Policy. For those that don't know, a Content Security Policy (CSP) restricts what a page is allowed to load. This can break some widgets on your website.

Who it affects

Free accounts made after the day the new policy was implemented.

So, the old less strict CSP is now a supporter feature. However, if you were on Neocities before it was added, you will keep the old less strict CSP.

What this new stricter policy does

Most widgets that do all the following will not work:

  1. Send or get data from another website (like via fetch() or <form>).
  2. Use a <script> tag to embed.

Some notable ones are Html Comment Box and Goatcounter.

Everything else will continue to work, such as these:

  • YouTube, Navlink, and others that you embed using an <iframe>.
  • Most webrings, even if they use a <script>. They usually tend to have the data already in the script itself.
  • Hotlinking images, scripts, styles, fonts, audio, videos, and flash.

Some examples of these can be seen on this website.

Why Neocities is doing this

Apparently, abuse.