Created attachment 432154 [details] safari-CSP Usage of element.removeAttribute("style") in safari v14.1 throws the following CSP Violation. "Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy". Example: function removeStyle(){ document.getElementById("section").removeAttribute("style"); // throws above CSP violation } CSP used: default-src 'none'; connect-src 'self'; script-src 'self'; style-src 'self'; Reference: Attached HTML file. Steps to reproduce: 1. Open the demo html with safari v14.1 2. Open the console to check the violation reported 3. Click on change and remove color buttons 4. Remove button - is executing the following - element.removeAttribute("style") 5. On click of Remove - the above CSP violation will be reported in the console
Created attachment 432236 [details] Updated safari-csp-issue html with text message
Created attachment 432237 [details] Updated safari-csp-issue html with text message
<rdar://problem/80020346>
I am able to reproduce this bug in Safari 15.6 on macOS 12.5 and it gives following message in Console: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. While all other browsers does not show any such message in Console. Thanks!
Pull request: https://github.com/WebKit/WebKit/pull/3333
Committed 254409@main (572f10393126): <https://commits.webkit.org/254409@main> Reviewed commits have been landed. Closing PR #3333 and removing active labels.
What version on safari is this fixed in?
(In reply to nickygencs from comment #7) > What version on safari is this fixed in? Safari 16.4 <- if I am not wrong. @jensimmons & others might be able to give precise information.