x/pkgsite: multiple console warnings/errors on Firefox

[mvdan]

For example, on https://pkg.go.dev/mod/mvdan.cc/sh/v3@v3.1.2 with Firefox 78.0.1 on Linux, on my usual profile:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). contentscript.js:1:388681
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 2 utils.js:35:9
Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: moz-extension://06bdf040-73e4-4e90-9c8a-e23635c79580/contentscript.js
Source Map URL: ../sourcemaps/contentscript.js.map

If I run with a new and empty Firefox profile (default settings, no extensions, etc), I don't get those warnings, presumably because the default security/privacy settings aren't as strong. I get a different warning, though:

Some cookies are misusing the recommended “sameSite“ attribute 2
Cookie “_ga” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite analytics.js:28:486
Cookie “_gid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Finally, there is also a warning on Chromium 83.0.4103.116, but it seems to be just a performance tip:

[Intervention] An <img> element was lazyloaded with loading=lazy, but had no dimensions specified. Specifying dimensions improves performance. See https://crbug.com/954323

Assuming that tests are made periodically, hopefully you can add Firefox and other major browsers like Safari too, to catch these early.

[mvdan]

CC @julieqiu @jba

[jamalc]

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). contentscript.js:1:388681
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 2 utils.js:35:9
Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: moz-extension://06bdf040-73e4-4e90-9c8a-e23635c79580/contentscript.js
Source Map URL: ../sourcemaps/contentscript.js.map

The CSP warnings look like they're coming from a browser extension and should have no affect pkg.go.dev.

Some cookies are misusing the recommended “sameSite“ attribute 2
Cookie “_ga” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite analytics.js:28:486
Cookie “_gid” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

The Google Analytics team was aware of the cookie issue and it has been fixed.