As per https://www.wilderssecurity.com/showthread.php?p=2334993#post2334993.

My description of the problem:

Oh I see the problem... I add the "Content-Security-Policy: script-src 'none'" regardless of whether there is actual javascript. In fact, I can't know at this point whether there is actual javascript, I just know whether it is allowed or blocked, it's just the headers of the page. And the CSP directive can't obviously be added later when I have more information about the javascript environment, as it will be too late by then to prevent javascript from running.

I don't see how to solve this except for reporting/adding a javascript of count 1 as a proxy value for all the 3rd-party javascript sources which have to execute on the the 1st-party page.

Essentially, 3rd-party scripts won't execute if scripts are not allowed for the web page pulling these 3rd-party scripts. This is a good thing. Problem is by reporting an empty 1st-party script cell, the user is not being given a visual hint that scripts for the web page needs to be allowed for the 3rd-party scripts to execute. This also affects smart reload since it relies on the blocked count of a type/hostname to figure whether a reload is necessary.