Bug 242724

Summary:	Content-Security-Policy-Report-Only header breaks Content-Security-Policy header directives
Product:	WebKit	Reporter:	cdaringe <cdaringe>
Component:	WebKit Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	NEW ---
Severity:	Normal	CC:	bfulgham, webkit-bug-importer, wilander
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Description cdaringe 2022-07-13 16:40:11 PDT

Setting a Content-Security-Policy-Report-Only [3] header interferes with the active Content-Security-Policy and breaks by site by prevent assets from processing that are otherwise should be permitted.

I have created a very easy reproduction demonstrating that the addition of Content-Security-Policy-Report-Only breaks the loading of (at least) inline javascript assets.

The demonstration repository [2] has installation and usage instructions. I've recorded a concise video [1] demonstrating the case where only the CSP header is active and assets process appropriately, and the same application failing to load assets by changing nothing other than turning on the CSP Report Only header.


[1] https://youtu.be/1MXjk9ugJ9Y
[2] https://github.com/cdaringe/Safari-Content-Security-Policy-Report-Only-Breaks-CSP
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

Comment 1 Radar WebKit Bug Importer 2022-07-20 16:41:15 PDT

<rdar://problem/97347217>