STR: 1. Setup a website with strict content security policy, returning response header like `"Content-Security-Policy: default-src 'none';`. 2. Serve a `Content-type: text/plain` document. Expected: 1. Text document is rendered correctly without any errors in the console. Actual: 1. Text document is rendered correctly but with error complaining about inline style. ``` Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. ``` Note: The inline style is inserted from the fake document here: https://github.com/WebKit/WebKit/blob/dca6ec38e14d781a8298cfb23ebbbc63351db19a/Source/WebCore/html/parser/TextDocumentParser.cpp#L60 Maybe we should switch to User Agent Shadow Root instead of generate fake document in the parser? Is it possible (and safe) to insert the hash to CSP?
<rdar://problem/126942181>