Created attachment 478014 [details] CSP Hash reports being sent for styles but reported as scripts. On our site, https://report-uri.com, we have the following CSP header: content-security-policy: default-src 'none'; script-src cdn.report-uri.com 'nonce-*snip*' static.cloudflareinsights.com 'report-sha256' 'report-sample'; style-src 'self' 'unsafe-inline' cdn.report-uri.com; img-src 'self' data: cdn.report-uri.com; font-src 'self' cdn.report-uri.com; frame-src 'self'; frame-ancestors 'none'; form-action 'self'; connect-src 'self'; upgrade-insecure-requests; base-uri 'none'; report-uri https://helios.report-uri.com/r/t/csp/enforce; report-to default It is using the 'report-sha256' keyword in the script-src directive, so we are expecting csp-hash reports to be sent for script assets. We have now started receiving csp-hash reports for style assets, with the destination value still set to script, from Safari browser: { "csp-hash": { "documentURL": "https://report-uri.com/", "subresourceURL": "https://cdn.report-uri.com/css/refresh/bootstrap.min.css", "hash": "sha256-7ZWbZUAi97rkirk4DcEp4GWDPkWpRMcNaEyXGsNXjLg=", "type": "subresource", "destination": "script" } } The main bug I believe is that these should not be sent, as we are not requesting csp-hash reports for style assets, but also if they were to be sent, the destination value needs to be updated to correctly reflect style.