RESOLVED FIXED265173
Safari blocking JS reading nonce for <style> and <link> 
https://bugs.webkit.org/show_bug.cgi?id=265173
Summary Safari blocking JS reading nonce for <style> and <link>
Chris J. Shull
Reported 2023-11-20 20:53:16 PST
The Google Maps JavaScript API reads the nonce value of an existing <style> or <link rel="stylesheet"> in order to inject more stylesheets with the same nonce. (We do the same thing for <script> elements, and that works fine.) This works fine in Chrome 119 and Firefox 119, but in Safari (tested on Version 17.1 - 18616.2.9.11.10, 18616) we are unable to read the nonce value in JS, causing the Google Maps JavaScript API to render incorrectly on websites. Here is a test page reported by one of our customers: https://maps-bug-1a422.web.app/index.html Which is served with header: Content-Security-Policy: default-src https:;script-src 'strict-dynamic' 'nonce-f4K3+nOnc3/';style-src 'nonce-f4K3+nOnc3/' https://fonts.googleapis.com;img-src https: data: test JS snippet: document.querySelector('style[nonce],link[rel="stylesheet"][nonce]').nonce should return the nonce value, but instead returns empty string
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-11-21 01:06:18 PST
<rdar://problem/118676659>
Anne van Kesteren
Comment 2 2023-11-21 01:39:07 PST
Thanks for taking the time to report this Chris, this looks like a silly oversight.
Anne van Kesteren
Comment 3 2023-11-21 01:49:18 PST
Pull request: https://github.com/WebKit/WebKit/pull/20778
EWS
Comment 4 2023-11-22 01:56:05 PST
Committed 271046@main (9ea548224a00): <https://commits.webkit.org/271046@main> Reviewed commits have been landed. Closing PR #20778 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.