Step 3.4.2.3 here[0] omits the `service-workers mode`[1] enum, which defaults to `"all"`. This means that Service-Worker *should* get fetch events for CSP violations reports[2]. You can see a demo here[3]. When it's working, you will see this in the document: Caught POST for https://84daacff2fb387fdf02f89b0fce73ef3.report-uri.com/r/d/csp/enforce) {"csp-report":{"document-uri":"https://vaz.ac/dev/csp/sw/index.html","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"default-src 'self' 'unsafe-inline'; report-uri https://84daacff2fb387fdf02f89b0fce73ef3.report-uri.com/r/d/csp/enforce","disposition":"enforce","blocked-uri":"https://ak.vaz.ac/dev/csp/sw/index.js","line-number":23,"column-number":23,"source-file":"https://vaz.ac/dev/csp/sw/index.html","status-code":0,"script-sample":""}} [0] https://w3c.github.io/webappsec-csp/#report-violation [1] https://fetch.spec.whatwg.org/#request-service-workers-mode [2] https://github.com/w3c/webappsec-csp/issues/383 [3] https://vaz.ac/dev/csp/sw/index.html
Currently, ping loads (beacon API, CSP violation reports) are not going through service workers. We should indeed fix this.
<rdar://problem/47884547>
*** This bug has been marked as a duplicate of bug 196807 ***