Created attachment 478010 [details] Screenshot of Integrity Policy reports sent to Report URI. Integrity-Policy was shipped here: https://bugs.webkit.org/show_bug.cgi?id=293433 Since then, we have been receiving Integrity Policy reports from Safari for scripts that have the correct SRI attributes present. Take our homepage, which you can find here: https://report-uri.com/ This script tag is present on the page: <script src="https://cdn.report-uri.com/js/refresh/frontend.min.js?v=3" integrity="sha256-3blw5/58mQRPxfzWn9iVYOqUF8vJNxlfffZeKMWWTqI= sha384-yOFntz2J1oEbz3Mz4xvZp92+Yqkn8IZFYLw7KzOu0mA+AEN5pshE10V1I7nTHTbs sha512-7hdwRaQfHGqaWhE6Yznpc1wOTVDhVqIX812Xb8TuXAeqV71DBqRSeCRn4fDD9XqboFFx0ffOAhwcv6ZYz3RjjQ==" crossorigin="anonymous" nonce=""></script> This has the correct SRI attributes and the script is loaded as expected, but Safari is also sending Integrity Policy reports on both MacOS and iOS, see the attached screenshot. The JSON payload for the reports is: { "integrity-violation": { "documentURL": "https://report-uri.com/", "blockedURL": "https://cdn.report-uri.com/js/refresh/frontend.min.js", "destination": "script", "reportOnly": true } } My understanding was that Integrity Policy reports should only be sent for assets that are not loaded with integrity attributes, and Chrome does not currently send these reports.