Bug 265173
| Summary: | Safari blocking JS reading nonce for <style> and <link> | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris J. Shull <chrisjshull> |
| Component: | WebCore Misc. | Assignee: | Anne van Kesteren <annevk> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | annevk, karlcow, mike, webkit-bug-importer |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | Safari 17 | ||
| Hardware: | Unspecified | ||
| OS: | macOS 14 | ||
Chris J. Shull
The Google Maps JavaScript API reads the nonce value of an existing <style> or <link rel="stylesheet"> in order to inject more stylesheets with the same nonce.
(We do the same thing for <script> elements, and that works fine.)
This works fine in Chrome 119 and Firefox 119, but in Safari (tested on Version 17.1 - 18616.2.9.11.10, 18616) we are unable to read the nonce value in JS, causing the Google Maps JavaScript API to render incorrectly on websites.
Here is a test page reported by one of our customers: https://maps-bug-1a422.web.app/index.html
Which is served with header:
Content-Security-Policy: default-src https:;script-src 'strict-dynamic' 'nonce-f4K3+nOnc3/';style-src 'nonce-f4K3+nOnc3/' https://fonts.googleapis.com;img-src https: data:
test JS snippet:
document.querySelector('style[nonce],link[rel="stylesheet"][nonce]').nonce
should return the nonce value, but instead returns empty string
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/118676659>
Anne van Kesteren
Thanks for taking the time to report this Chris, this looks like a silly oversight.
Anne van Kesteren
Pull request: https://github.com/WebKit/WebKit/pull/20778
EWS
Committed 271046@main (9ea548224a00): <https://commits.webkit.org/271046@main>
Reviewed commits have been landed. Closing PR #20778 and removing active labels.