Created attachment 256373 [details] example of safari incorrectly blocking script loading Webkit blocks loading resources if there is no protocol in CSP rule. For example. it will block loading https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js with the rule *.googleapis.com, but will allow with http://*.googleapis.com This applies to any domain and both http and https. So, all browsers work correctly with 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com:*", but for webkit safari I have to add https://*.googleapis.com, or they will generate me lots of csp reports, which do not actually violate anything. This link http://content-security-policy.com/ says, that *.domain.domain should apply to both http and https and any subdomain.