Thanks for filing, I can reproduce this on Safari 13.1.3 as well as STP 121 (14.2).

<rdar://problem/75060055>

Console Error in Safari 17.2.1 & Safari Technology Preview 185: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. Refused to load blob:https://cloud.arturjanc.com/f772cb40-5898-4465-8838-1595ffc71648 because it does not appear in the script-src directive of the Content Security Policy. ___ Chrome Canary 122 & Firefox Nightly 123 - no console error.

this issue still exists, and quite strangely, the violation is only reported if its `nonce` only on CSP-Report-Only header, but not when its on CSP header. so we can observe the violation with following header: ``` Content-Security-Policy: script-src 'self' 'nonce-123'; Content-Security-Policy-Report-Only: script-src 'nonce-123' report-uri /foo; ``` but not on: ``` Content-Security-Policy: script-src 'nonce-123'; Content-Security-Policy-Report-Only: script-src 'nonce-123' report-uri /foo; ```

here is the minimum repro repo: https://github.com/taozhou-glean/webkit-nonce

Thanks for the report. When building the preload request on behalf of the HTMLPreloadScanner we aren't copying the nonce from the link element's nonce attribute into the fetch options we use when creating the network request. So later when the loader tries to validate we're allowed to do the load there's no nonce to check against and we trip over the Content-Security-Policy-Report-Only header. The reason why it works in the other case (/csp-no-violation endpoint in the bun server) is because when we're building the preload request we do an early check of the nonce for enforcement policies (so Content-Security-Policy header or meta-tag delivered headers). If the check succeeds we skip later CSP pre-request checks. Since in the csp-no-violation case the nonce is present we will never send a violation report. In the failing case there is no nonce in the Content-Security-Policy header and so we do a full CSP check later, but with the aforementioned bug. The fix here is to include the link element's nonce attribute in the fetch request during preload. We could also consider doing a nonce check against report only policies but that's a little more involved since we don't want to accidentally skip CSP for enforcement policies that would otherwise be allowed by report-only policies.

Pull request: https://github.com/WebKit/WebKit/pull/49756

Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/54454

Committed 299070@main (2a8526c8f622): <https://commits.webkit.org/299070@main> Reviewed commits have been landed. Closing PR #49756 and removing active labels.