Created attachment 433665 [details] Comparison between safari and chrome SecurityPolicyViolationEvent when fired contains incomplete/wrong fields. How to reproduce: 1. define csp rules `connect-src` to something that will block xhrs 2. trigger an post xhr to some endpoint, for example `https://reqbin.com/echo/post/json` Observe the securitypolicyviolation event. Blocked url contains only hostname without the path I will post a screenshot with an scenario that I have On the left side is safari, and on the right side is chrome. If we check the blockedURI property we can see that chrome has correct value and on safari only hostname is added. Please note that `/bf` is missing on safari for `blockedURI` + query string. Also safari seems like it assigned that value to the documentURI but the document url where it happened was on `my localhost IP address` and not on url where xhr was sent. Additionally documentURI seems like is randomly correct as it sometimes has the right value and sometimes has the value that should be `blockedURI`. I am doing some comparisons to filter out the xhrs I am sending from these violations ( I am gathering some analytics ) and with incomplete `blockedURI` value I am not able as it can match any xhr if it is sent to a URL relative to the hostname. Firefox has the correct values all the time also. I tested this on SAFARI 14, SAFARI 13 and it seems like it happens also on apple mail application.
Thanks for filing, I tried to take a look at your example page but I'm hitting a 404 error. Is there a better link to try?
<rdar://problem/80989579>