A minimal test case is available here: https://www.flickr.com/csp_webkit_bug_report.gne If a page uses a correctly specified nonce attribute on inline scripts and includes a script-src 'nonce-foo' directive in just the Report-Only header then webkit incorrectly reports CSP errors on each script. The error is: "[Error] [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy." No errors are reported (correctly) if: 1) Neither CSP header includes 'nonce-foo' 2) Both CSP headers include 'nonce-foo' 3) Only the blocking CSP header includes 'nonce-foo' But if only the Report-Only CSP header includes 'nonce-foo' then errors will be logged to the console. This identically affects: * macOS 10.12.5 (16F73) * Safari Version 10.1.1 (12603.2.4) * Safari Technology Preview Release 31 (Safari 10.2, WebKit 12604.1.23.0.1) * Webkit Nightly Version 10.1.1 (12603.2.4, r217709)
<rdar://problem/32543347>
Doesn’t sound like a security bug to me. A false positive is clearly a bug, and could be quite inconvenient for a developer, but I don’t see how it leads to vulnerability.
Makes sense. I wanted to err on the side of caution. Should I resubmit this as a Webkit bug or can it just be reassigned in bugzilla?
I think it can be moved.
(In reply to Darin Adler from comment #4) > I think it can be moved. Done!
Thank you for this report. We believe this is no longer an issue in STP 139, iOS 15.4 Beta, and macOS 12.3 Beta.