The Google Maps JavaScript API reads the nonce value of an existing <style> or <link rel="stylesheet"> in order to inject more stylesheets with the same nonce. (We do the same thing for <script> elements, and that works fine.) This works fine in Chrome 119 and Firefox 119, but in Safari (tested on Version 17.1 - 18616.2.9.11.10, 18616) we are unable to read the nonce value in JS, causing the Google Maps JavaScript API to render incorrectly on websites. Here is a test page reported by one of our customers: https://maps-bug-1a422.web.app/index.html Which is served with header: Content-Security-Policy: default-src https:;script-src 'strict-dynamic' 'nonce-f4K3+nOnc3/';style-src 'nonce-f4K3+nOnc3/' https://fonts.googleapis.com;img-src https: data: test JS snippet: document.querySelector('style[nonce],link[rel="stylesheet"][nonce]').nonce should return the nonce value, but instead returns empty string
<rdar://problem/118676659>
Thanks for taking the time to report this Chris, this looks like a silly oversight.
Pull request: https://github.com/WebKit/WebKit/pull/20778
Committed 271046@main (9ea548224a00): <https://commits.webkit.org/271046@main> Reviewed commits have been landed. Closing PR #20778 and removing active labels.