My WordPress websites uses the Jetpack plugin that makes it possible for visitors to subscribe themself so that they get an e-mail when I publish a new blog.
This week a subscriber sent me a mail to tell me that the links in those e-mails doesn’t work anymore. I directly tested it and the subscriber was right. When you click on the link you will only get a white screen.
My first thought was that the problem was occured because I have changed the URL of the blog. In the URL a word was added double and looks wrong.
A few days later I published another blog. But also the link in the subscription email to that blog shows a white screen in the browser. No error message is shown.
A few days later I analysed the link and my own domain followed by many parameters. I always thought that the links iwould first send the subscriber to wordpress.com and then redirect them to my site. But apparently they go straight to my site.
Just to gather more information, I opened Firefox’s Web Developer toolbar and reloaded the page.
The console tabs show 1 error in red starting with “Content-Securty-Policy” followed by the URL subscribe.wordpress.com which is being blocked. My websites use the Content-Security-Policy security header to decide which external URLs are allowed and which are not.
After the link is clicked and during page is load it somehow connects to subscribe.wordpress.com before redirecting to my blog. But because this subdomain is blocked, the page can’t fully load and redirect the visitor.
The solution was to add the subdomain to my content-security-policy default-src section in my .htaccess file.
WordPress 6.4.3 with Jetpack 13.0