This could happen because the email contains no text MIME parts. Does this patch fix the error?

After a week of tests all works perfect. ~kon patch fix this issue.

I have submitted a relevant patch. Could you report whether it fixes the issue you described?

Adding the explicit app domain to the Content Security Policy removes the Firefox errors. Setting the SameSite attribute to None allows the cookie to be sent. Based on these, I suspect that the issue comes from a mismatching iFrame domain instead of the CSP policy.