When I updated WordPress to the latest version, everything looked fine at first. Until I tried to create a new post. Instead of the Gutenberg editor, I saw nothing but a grey screen with a broken file icon. No error message, no warning — just a blank interface where the editor should be. Like this:
If you’re seeing the same thing, you’re not alone. This issue is more common than it seems, and the real cause is not a theme or plugin conflict. The problem is a Content-Security-Policy (CSP) header that silently blocks part of the editor from loading.
Here’s exactly what I found, how I identified the root cause, and the fix that finally restored my WordPress editor.
Table of Contents
The Symptom: Gutenberg loads as a grey screen
When opening:
/wp-admin/post-new.php
the page displayed:
- a flat grey background
- a minimal broken icon
- no blocks, sidebar, buttons, or error messages
This happens before Gutenberg even initializes.
The Investigation: looking at the browser console
The first real clue appeared in the browser console (Chrome DevTools).
This is the key screenshot you’ll want to check.
Console Error Example
The console displayed:
Framing 'blob:https://yourdomain.com/…' violates the Content Security Policy directive
"default-src 'self' 'unsafe-inline' 'unsafe-eval' data: https:".
Not allowed to load local resource: blob:https://yourdomain.com/…That was the breakthrough.
The Root Cause: CSP blocking blob: resources
Modern versions of Gutenberg use iframe sandboxes powered by URLs that begin with:
blob:https://yourdomain.com/...These are temporary, in-browser URLs that the editor uses internally.
But my server was sending this CSP header:
default-src 'self' 'unsafe-inline' 'unsafe-eval' data: https:;Notice what’s missing?
👉 blob: is not allowed.
This means:
- WordPress tries to load an iframe using
blob: - the CSP blocks it
- the iframe returns
null - Gutenberg fails and shows a grey screen
The fix is simply to allow blob:.
The Fix: update the CSP to allow blob:
My hosting support confirmed the solution and provided the exact rule to add inside the site’s .htaccess file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: blob:;"
</IfModule>After saving the .htaccess file, I reloaded the editor…
✨ and Gutenberg immediately came back to life.
No theme changes, no plugin issues, no PHP rollback — just one missing directive in the CSP.
Where to check your CSP
You can inspect your headers by opening:
Chrome DevTools → Network → click post-new.php → Headers → Response Headers
Look for:
Content-Security-Policy: …If you do NOT see blob: in your default-src (or child-src / frame-src), your editor may fail for the same reason.
Network Headers Example
blob: — this blocks the Gutenberg iframe.Why allowing blob: is safe
Many people wonder whether enabling blob: lowers security.
The short answer: no.
blob: URLs:
- are generated locally by the browser
- cannot be accessed cross-origin
- cannot load remote scripts
- are destroyed when the page closes
Platforms like WordPress.com, Notion, GitHub, Figma, Google Workspace and many others rely on blob: every day.
The insecure parts of your CSP (if any) are unsafe-inline and unsafe-eval, not blob: — and those are usually required because of older themes or plugins.
If your hosting applies CSP automatically
Some hosting providers add CSP headers at the server level, outside .htaccess.
If that’s your case, you can send your provider a message like:
“The WordPress editor uses blob: URLs for iframe sandboxing.
Please update the Content-Security-Policy for my domain to include blob: in default-src or frame-src.”
This resolves the issue 100% of the time.
Final Takeaway
If Gutenberg loads a grey screen with no interface, the most likely cause is:
Your server’s Content-Security-Policy is blocking blob:.
The fix is simple:
✔️ Add blob: to default-src (or frame-src)
✔️ Save .htaccess
✔️ Reload the editor
And everything goes back to normal.
If this tip helped you fix the “WordPress Gutenberg editor not working” issue, feel free to leave a comment below. And if you’ve found another solution or insight, I’d love to hear it — share it in the comments!
