diff --git a/src/static/empty.html b/src/static/empty.html
new file mode 100644
index 000000000..ef02d22ca
--- /dev/null
+++ b/src/static/empty.html
@@ -0,0 +1 @@
+<!DOCTYPE html><html><head><title>Empty</title></head><body></body></html>
diff --git a/src/static/js/ace.js b/src/static/js/ace.js
index 387576ce4..1e73ac48f 100644
--- a/src/static/js/ace.js
+++ b/src/static/js/ace.js
@@ -197,7 +197,9 @@ const Ace2Editor = function () {
     //   - Chrome never fires any events on the frame or document. Eventually the document's
     //     readyState becomes 'complete' even though it never fires a readystatechange event.
     //   - Safari behaves like Chrome.
-    outerFrame.srcdoc = '<!DOCTYPE html>';
+    // srcdoc is avoided because Firefox's Content Security Policy engine does not properly handle
+    // 'self' with nested srcdoc iframes: https://bugzilla.mozilla.org/show_bug.cgi?id=1721296
+    outerFrame.src = '../static/empty.html';
     info.frame = outerFrame;
     document.getElementById(containerId).appendChild(outerFrame);
     const outerWindow = outerFrame.contentWindow;
@@ -240,7 +242,7 @@ const Ace2Editor = function () {
     innerFrame.allowTransparency = true; // for IE
     // The iframe MUST have a src or srcdoc property to avoid browser quirks. See the comment above
     // outerFrame.srcdoc.
-    innerFrame.srcdoc = '<!DOCTYPE html>';
+    innerFrame.src = 'empty.html';
     outerDocument.body.insertBefore(innerFrame, outerDocument.body.firstChild);
     const innerWindow = innerFrame.contentWindow;