Neocities Security Fix

OP Dev Blog

2025-09-25

Table of content
  1. Why do you do it this way again?
  2. Is my site affected?
  3. What if I'm not sure?

A Neocities site that recently registered with the main OP server mysteriously couldn't post anything to the server. Copying their page directly to our own Neocities site worked, which was confounding.

We figured it out when we found this issue on the Neocities repo explaining the decision behind a security protocol blocking fetch requests for external content.

Since our standard, HTML-only way of sending requests to an OP server to scan your page uses on fetch, this blocks that method.

<link rel="preload" as="fetch" href="https://octothorp.es/?uri=https://YOURDOMAIN.COM/PATH/TO/CURRENT/PAGE">

However, since we are not loading anything externally, and instead just using this as a lightweight way to send your url to the server gracefully in the background, fetch is not necessary.

So you can change fetch to image in the call, and it will not be blocked.

<link rel="preload" as="image" href="https://octothorp.es/?uri=https://YOURDOMAIN.COM/PATH/TO/CURRENT/PAGE">

Again, neither of these calls load any data to your page, so this isn't violating the spirit or the letter of the policy.

Why do you do it this way again?

This is certainly not the only way to ping a server to say "hey look at me" but it's a one-line, very lightweight method, so it's the one we recommend. Beyond that, it's part of our core philosophy to only index your page when you ask us to. Among other things, this leaves the power to turn the process off in the end user's hands. OP is not a web-crawler, and it doesn't scrape data indiscrimitely. It's a tool for you to use. In a way, it's the opposite of a search engine.

Is my site affected?

Older and paid Neocities sites might not be. You can see if this problem affects your site by checking the console under "inspect" in Chrome. (Fore some reason Firefox does not always display an error.) If you see the following error, your site is affected.

A Chrome developer console message indicating that a request to an octothorpe server violates a content security policy directive

And, of course, you can check the server to see if your tags and posts are showing up.

What if I'm not sure?

If you're not sure, you can always use the image call. It is functionally identical to the OP server.