Needless to say, this CSP directive should only block *web content* from executing JS. It shouldn't block the browser itself from executing its own JS. Currently the web content is able to disable browser features, e.g. Epiphany's security warning when focusing an insecure password form, Epiphany's warning before closing a web page with an unsubmitted form, Epiphany's entire password manager, and even things like the code to compute a web app's name and title when creating a new web app. JS is used for a lot of stuff and it has to work.
See also: bug #192753.
Thanks for filing! I don't know if you are writing patches for WebKit these days, Michael. If so, is this something you intend/want to work on?
I looked at it briefly, but not closely enough to prepare a patch. The error is coming from ScriptController::executeScriptInWorld, which decides scripts are not allowed because ScriptController::canExecuteScripts returns false. Maybe we need a new ReasonForCallingCanExecuteScripts for scripts executed by WebKit API that bypass some of the checks.
Somebody is complaining on Matrix that this also breaks WebKit's HTMLMediaElement controls. So it's not just browser-level features, but also WebKit features that are affected.
(In reply to Michael Catanzaro from comment #4)
> Somebody is complaining on Matrix that this also breaks WebKit's
> HTMLMediaElement controls. So it's not just browser-level features, but also
> WebKit features that are affected.