Bug 242724

Setting a Content-Security-Policy-Report-Only [3] header interferes with the active Content-Security-Policy and breaks by site by prevent assets from processing that are otherwise should be permitted. I have created a very easy reproduction demonstrating that the addition of Content-Security-Policy-Report-Only breaks the loading of (at least) inline javascript assets. The demonstration repository [2] has installation and usage instructions. I've recorded a concise video [1] demonstrating the case where only the CSP header is active and assets process appropriately, and the same application failing to load assets by changing nothing other than turning on the CSP Report Only header. [1] https://youtu.be/1MXjk9ugJ9Y [2] https://github.com/cdaringe/Safari-Content-Security-Policy-Report-Only-Breaks-CSP [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only