276931 2024-07-22 23:15:38 -0700 Safari ignores style-src-elem in CSP 2026-01-31 10:51:45 -0800 1 1 1 Unclassified WebKit Page Loading Safari 18 Mac (Intel) macOS 14 RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=203757 https://github.com/web-platform-tests/wpt/pull/54080 BrowserCompat, InRadar P2 Normal --- 1 maxim rreno beidson bfulgham fiyaas007 karlcow rreno webkit-bug-importer wilander oldest_to_newest 2047701 0 maxim 2024-07-22 23:15:38 -0700 In short, when using <link> and @import approach to add CSS to my website, Safari 17 (both on Mac and on iOS) doesn't let them load even though they are allowed in style-src-elem directive. Workaround is to put them into style-src directive, which is less restrictive than style-src-elem, so it isn't preferred. See https://github.com/Maxim-Mazurok/csp-safari-issue for reproduction, and follow the steps from the README.md Another reproduction I found here: https://csplite.com/csp/test235/#test (you'll need to login to see it, and 2a and 3 test will fail in Safari and pass in Chrome/Firefox). Here's the full list of user-agents that experience the same issue on our production website: Mozilla/5.0 (iPad; CPU OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPad; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/126 Mobile/15E148 Version/15.0 Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.153 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.54 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/308.0.615969171 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/319.0.638705450 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/320.0.639621854 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/462.0.0.35.110;FBBV/609503125;FBDV/iPhone16,2;FBMD/iPhone;FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/463.0.0.32.110;FBBV/612837805;FBDV/iPhone16,2;FBMD/iPhone;FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/8.0.49(0x18003137) NetType/WIFI Language/zh_CN Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1; +http://www.apple.com/go/applebot) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 2049383 1 webkit-bug-importer 2024-07-29 23:16:12 -0700 <rdar://problem/132783992> 2053983 2 karlcow 2024-08-19 20:28:26 -0700 Maxim, Thanks for the reports Would you mind sharing the live site where this is happening? 2054308 3 maxim 2024-08-20 18:45:42 -0700 Hi Karl, Sure, here's a live website with a reproduction: https://csp-safari-issue.vercel.app/ It works in Chrome (funky font loaded), and it doesn't work in Safari (default font used). It is a deployment of the 'static' branch: https://github.com/Maxim-Mazurok/csp-safari-issue/tree/static Hope this helps! 2115028 4 maxim 2025-05-05 00:10:05 -0700 (In reply to Karl Dubost from comment #2) > Maxim, > > Thanks for the reports > Would you mind sharing the live site where this is happening? Hi Karl, it's been a while. I was wondering if you had a chance to check out the reproduction? It's still happening for me on Desktop Safari 18.3.1 2115053 5 maxim 2025-05-05 04:32:55 -0700 Same on Safari Version 18.4 (19621.1.15.111.1, 19621) on macOS 14.7.5 (23H527) 2133310 6 rreno 2025-07-29 22:06:57 -0700 Pull request: https://github.com/WebKit/WebKit/pull/48702 2133315 7 karlcow 2025-07-29 22:31:32 -0700 @Maxim, Ryan found the source of the issue after investigating another public website where this is failing too. 2133316 8 maxim 2025-07-29 22:34:09 -0700 Awesome, thank you! I'm not familiar with WebKit sources, but PR looks promising! 2133677 9 rreno 2025-07-31 11:34:06 -0700 Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/54080 2133729 10 ews-feeder 2025-07-31 15:04:20 -0700 Committed 298104@main (3b36e1e3244a): <https://commits.webkit.org/298104@main> Reviewed commits have been landed. Closing PR #48702 and removing active labels. 2176909 11 fiyaas007 2026-01-31 10:51:45 -0800 (In reply to Maxim Mazurok from comment #0) > In short, when using <link> and @import approach to add CSS to my website, > Safari 17 (both on Mac and on iOS) doesn't let them load even though they > are allowed in style-src-elem directive. Workaround is to put them into > style-src directive, which is less restrictive than style-src-elem, so it > isn't preferred. > > See https://github.com/Maxim-Mazurok/csp-safari-issue for reproduction, and > follow the steps from the README.md > > Another reproduction I found here: https://csplite.com/csp/test235/#test > (you'll need to login to see it, and 2a and 3 test will fail in Safari and > pass in Chrome/Firefox). > > Here's the full list of user-agents that experience the same issue on our > production website: > > Mozilla/5.0 (iPad; CPU OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, > like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, > like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPad; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 15_8 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) FxiOS/126 Mobile/15E148 Version/15.0 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 > Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 > Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) CriOS/126.0.6478.153 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) CriOS/126.0.6478.54 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) GSA/308.0.615969171 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) GSA/319.0.638705450 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) GSA/320.0.639621854 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 > [FBAN/FBIOS;FBAV/462.0.0.35.110;FBBV/609503125;FBDV/iPhone16,2;FBMD/iPhone; > FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 > [FBAN/FBIOS;FBAV/463.0.0.32.110;FBBV/612837805;FBDV/iPhone16,2;FBMD/iPhone; > FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 > MicroMessenger/8.0.49(0x18003137) NetType/WIFI Language/zh_CN > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 > Safari/604.1 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/16.3 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/16.6 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.0 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1; > +http://www.apple.com/go/applebot) > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.4.1 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.5 Safari/605.1.15 > Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/125.0.0.0 Safari/537.36 > Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/126.0.0.0 Safari/537.36