diff --git a/platform/safari/vapi-background.js b/platform/safari/vapi-background.js
index 2c311d339..c63ebe8d6 100644
--- a/platform/safari/vapi-background.js
+++ b/platform/safari/vapi-background.js
@@ -700,10 +700,10 @@
         // Until Safari has more specific events, those are instead handled
         // in the onBeforeRequestAdapter; clean them up so they're garbage-collected
         vAPI.net.onBeforeSendHeaders = null;
-        vAPI.net.onHeadersReceived = null;
 
         var onBeforeRequest = vAPI.net.onBeforeRequest,
             onBeforeRequestClient = onBeforeRequest.callback,
+            onHeadersReceivedClient = vAPI.net.onHeadersReceived.callback,
             blockableTypes = onBeforeRequest.types;
 
         var onBeforeRequestAdapter = function(e) {
@@ -719,9 +719,10 @@
                 });
                 e.message.hostname = µb.URI.hostnameFromURI(e.message.url);
                 e.message.tabId = vAPI.tabs.getTabId(e.target);
-                var blockVerdict = onBeforeRequestClient(e.message);
-                if(blockVerdict && blockVerdict.redirectUrl) {
-                    e.target.url = blockVerdict.redirectUrl;
+                e.message.responseHeaders = [];
+                onBeforeRequestClient(e.message);
+                var blockVerdict = onHeadersReceivedClient(e.message);
+                if(blockVerdict && blockVerdict.responseHeaders) {
                     e.message = false;
                 }
                 else {
diff --git a/platform/safari/vapi-client.js b/platform/safari/vapi-client.js
index 085e5ce03..c02270014 100644
--- a/platform/safari/vapi-client.js
+++ b/platform/safari/vapi-client.js
@@ -174,8 +174,9 @@
     }
 
     // Inform that we've navigated
+    var shouldBlockScript = false;
     if(frameId === 0) {
-        safari.self.tab.canLoad(beforeLoadEvent, {
+        shouldBlockScript = !safari.self.tab.canLoad(beforeLoadEvent, {
             url: location.href,
             type: "main_frame"
         });
@@ -225,6 +226,12 @@
     var firstMutation = function() {
         document.removeEventListener("DOMContentLoaded", firstMutation, true);
         firstMutation = false;
+        if(shouldBlockScript) {
+            var meta = document.createElement('meta');
+            meta.setAttribute("http-equiv", "content-security-policy");
+            meta.setAttribute("content", "script-src 'unsafe-eval' *");
+        }
+        document.documentElement.insertBefore(meta, document.documentElement.firstChild);
         document.addEventListener(vAPI.sessionId, function(e) {
             if(shouldBlockDetailedRequest(e.detail)) {
                 e.detail.url = false;