Bug 242724 - Content-Security-Policy-Report-Only header breaks Content-Security-Policy header directives
Summary: Content-Security-Policy-Report-Only header breaks Content-Security-Policy hea...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-07-13 16:40 PDT by cdaringe
Modified: 2022-07-20 16:41 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description cdaringe 2022-07-13 16:40:11 PDT 
Setting a Content-Security-Policy-Report-Only [3] header interferes with the active Content-Security-Policy and breaks by site by prevent assets from processing that are otherwise should be permitted.

I have created a very easy reproduction demonstrating that the addition of Content-Security-Policy-Report-Only breaks the loading of (at least) inline javascript assets.

The demonstration repository [2] has installation and usage instructions. I've recorded a concise video [1] demonstrating the case where only the CSP header is active and assets process appropriately, and the same application failing to load assets by changing nothing other than turning on the CSP Report Only header.


[1] https://youtu.be/1MXjk9ugJ9Y
[2] https://github.com/cdaringe/Safari-Content-Security-Policy-Report-Only-Breaks-CSP
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
Comment 1 Radar WebKit Bug Importer 2022-07-20 16:41:15 PDT 
<rdar://problem/97347217>