Bug 242724

Summary: Content-Security-Policy-Report-Only header breaks Content-Security-Policy header directives
Product: WebKit Reporter: cdaringe <cdaringe>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description cdaringe 2022-07-13 16:40:11 PDT
Setting a Content-Security-Policy-Report-Only [3] header interferes with the active Content-Security-Policy and breaks by site by prevent assets from processing that are otherwise should be permitted.

I have created a very easy reproduction demonstrating that the addition of Content-Security-Policy-Report-Only breaks the loading of (at least) inline javascript assets.

The demonstration repository [2] has installation and usage instructions. I've recorded a concise video [1] demonstrating the case where only the CSP header is active and assets process appropriately, and the same application failing to load assets by changing nothing other than turning on the CSP Report Only header.


[1] https://youtu.be/1MXjk9ugJ9Y
[2] https://github.com/cdaringe/Safari-Content-Security-Policy-Report-Only-Breaks-CSP
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
Comment 1 Radar WebKit Bug Importer 2022-07-20 16:41:15 PDT
<rdar://problem/97347217>