222484 2021-02-26 11:44:42 -0800 CSP: Link header with rel=preload does not recognize nonces 2025-08-22 12:49:17 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build All All RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=238014 https://github.com/web-platform-tests/wpt/pull/54454 BrowserCompat, InRadar P2 Normal --- 1 aaronshim rreno achristensen ahmad.saleem792 beidson bfulgham rreno smoley tao.zhou webkit-bug-importer youennf oldest_to_newest 1733896 0 aaronshim 2021-02-26 11:44:42 -0800 Safari does not recognize CSP nonces that are sent as a part of the Link header. ### Observed Behavior ### Visit https://cloud.arturjanc.com/s/safari-link-nonce/link-header. Following headers are sent: Link: <https://arturjanc.com/foo2.js>; rel=preload; as=script; nonce=123 Content-Security-Policy: script-src 'nonce-123'; object-src 'none'; report-uri /foo No script is run. ### Expected Behavior ### Script is run. Chrome and Firefox runs the script. Interestingly, Safari will run the script if the preload Link is included as an HTML tag rather than a header (https://cloud.arturjanc.com/s/safari-link-nonce/link-element). 1736043 1 smoley 2021-03-04 15:17:02 -0800 Thanks for filing, I can reproduce this on Safari 13.1.3 as well as STP 121 (14.2). 1736044 2 webkit-bug-importer 2021-03-04 15:17:14 -0800 <rdar://problem/75060055> 2003077 3 ahmad.saleem792 2024-01-04 18:03:45 -0800 Console Error in Safari 17.2.1 & Safari Technology Preview 185: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. Refused to load blob:https://cloud.arturjanc.com/f772cb40-5898-4465-8838-1595ffc71648 because it does not appear in the script-src directive of the Content Security Policy. ___ Chrome Canary 122 & Firefox Nightly 123 - no console error. 2024872 4 tao.zhou 2024-03-29 17:40:35 -0700 this issue still exists, and quite strangely, the violation is only reported if its `nonce` only on CSP-Report-Only header, but not when its on CSP header. so we can observe the violation with following header: ``` Content-Security-Policy: script-src 'self' 'nonce-123'; Content-Security-Policy-Report-Only: script-src 'nonce-123' report-uri /foo; ``` but not on: ``` Content-Security-Policy: script-src 'nonce-123'; Content-Security-Policy-Report-Only: script-src 'nonce-123' report-uri /foo; ``` 2024892 5 tao.zhou 2024-03-29 19:40:29 -0700 here is the minimum repro repo: https://github.com/taozhou-glean/webkit-nonce 2138161 6 rreno 2025-08-21 21:20:03 -0700 Thanks for the report. When building the preload request on behalf of the HTMLPreloadScanner we aren't copying the nonce from the link element's nonce attribute into the fetch options we use when creating the network request. So later when the loader tries to validate we're allowed to do the load there's no nonce to check against and we trip over the Content-Security-Policy-Report-Only header. The reason why it works in the other case (/csp-no-violation endpoint in the bun server) is because when we're building the preload request we do an early check of the nonce for enforcement policies (so Content-Security-Policy header or meta-tag delivered headers). If the check succeeds we skip later CSP pre-request checks. Since in the csp-no-violation case the nonce is present we will never send a violation report. In the failing case there is no nonce in the Content-Security-Policy header and so we do a full CSP check later, but with the aforementioned bug. The fix here is to include the link element's nonce attribute in the fetch request during preload. We could also consider doing a nonce check against report only policies but that's a little more involved since we don't want to accidentally skip CSP for enforcement policies that would otherwise be allowed by report-only policies. 2138176 7 rreno 2025-08-22 00:22:58 -0700 Pull request: https://github.com/WebKit/WebKit/pull/49756 2138179 8 rreno 2025-08-22 00:27:17 -0700 Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/54454 2138346 9 ews-feeder 2025-08-22 12:49:15 -0700 Committed 299070@main (2a8526c8f622): <https://commits.webkit.org/299070@main> Reviewed commits have been landed. Closing PR #49756 and removing active labels.