Created attachment 454946 [details] Expected page render Loading pages that have CSP enabled and use nonce's in their <link> tags fail to load the style sheets with the message below: [Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css because it does not appear in the style-src directive of the Content Security Policy. [Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css because it does not appear in the style-src directive of the Content Security Policy. [Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css because it does not appear in the style-src directive of the Content Security Policy. You can find such an example here: https://examples9x.wicket.apache.org/index.html This works in Safari < 5.4, but is broken in Safari 5.4. I have tested this in Epiphany latest and it is broken there as well, so this seems to be a webkit issue. Relevant specification part: https://www.w3.org/TR/CSP3/#style-src-pre-request > If the result of executing § 6.6.2.2 Does nonce match source list? on request’s cryptographic nonce metadata and this directive’s value is "Matches", return "Allowed".
Created attachment 454947 [details] Actual page render
> This works in Safari < 5.4, but is broken in Safari 5.4. I'm guessing that this is Safari 15.4, not 5.4, could you please confirm?
Yes, 15.4
<rdar://problem/90599352>
Hi! Thanks for reporting, I am taking a look at this. I noticed in the reduction you linked (https://examples9x.wicket.apache.org/index.html) when I inspect the page the nonce is not specified for the stylesheets elements (I see "nonce" instead of something like "nonce='abc'"). Is this a mistake in the creation of the reduction, or could this be the issue? Maybe I am missing something.. Thanks!
If you "View Source" you will see the nonce's. <link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" /> <link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" /> <link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
Also, please see: https://stackoverflow.com/questions/55670985/google-chrome-stripping-nonce-values-from-script-tags
I see - thanks for the clarification!
Created attachment 455663 [details] Patch
Comment on attachment 455663 [details] Patch Looks good to me.
Comment on attachment 455663 [details] Patch r=me
Created attachment 455679 [details] Patch
Created attachment 455680 [details] Patch for landing
Committed r291816 (248843@main): <https://commits.webkit.org/248843@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 455680 [details].
This fix shipped with Safari 15.5 (all platforms).