Test case: http://lingro.com:81/cgi-bin/csp-2-enforcing.py Content-Security-Policy: script-src 'nonce-foobar123'; report-uri /enforcing, script-src www.google.com; report-uri /enforcing2 <html> <head> <!-- This should execute without violations because it satisfies both policies --> <script nonce="foobar123" src="https://www.google.com/jsapi?callback=alert&1-ok"></script> <!-- This should NOT execute because it violates the (enforcing) whitelist policy --> <script nonce="foobar123" src="https://www.google.com.PL/jsapi?callback=alert&2-reporting-bad"></script> <!-- This should NOT execute because it violates the (enforcing) nonce policy --> <script src="https://www.google.com/jsapi?callback=alert&3-bad"></script> </head> <body> </body> </html> -- These have two policies: one with nonce and another with host based policies. A script should execute when it has the right nonce and the host matches the host-src whitelist. But, all script tags get blocked. Firefox handles this correctly (at least based on my reading of the spec) but Chrome also breaks (but is fixing). Relatedly, there is a similar bug when one policy is report-only and another is enforcing: http://lingro.com:81/cgi-bin/csp-both-modes-safari.py thank you!
<rdar://problem/26522376>
Hi WebKit friends! Any updates on this bug? This keeps biting us and reduces the security of our csp policy. Would love to see this resolved!
I also ran into this issue.
There’s a question at Stack Overflow that seems to be a case of this same problem — https://stackoverflow.com/a/56933431/441757
Hi Any updates on this bug? I still ran into this bug with Safari Version 13.1 (15609.1.20.111.8)
Hi folks. I *think* that this bug is an earlier report of Bug 235199, which was fixed in r288132. This should be available in an STP build soon.
(In reply to Brent Fulgham from comment #6) > Hi folks. I *think* that this bug is an earlier report of Bug 235199, which > was fixed in r288132. > > This should be available in an STP build soon. I think this because of the error, but the original test case from years ago is no longer available, so I can't definitely confirm.