[Webkit-unassigned] [Bug 242724] New: Content-Security-Policy-Report-Only header breaks Content-Security-Policy header directives
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 13 16:40:11 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=242724
Bug ID: 242724
Summary: Content-Security-Policy-Report-Only header breaks
Content-Security-Policy header directives
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: cdaringe at gmail.com
Setting a Content-Security-Policy-Report-Only [3] header interferes with the active Content-Security-Policy and breaks by site by prevent assets from processing that are otherwise should be permitted.
I have created a very easy reproduction demonstrating that the addition of Content-Security-Policy-Report-Only breaks the loading of (at least) inline javascript assets.
The demonstration repository [2] has installation and usage instructions. I've recorded a concise video [1] demonstrating the case where only the CSP header is active and assets process appropriately, and the same application failing to load assets by changing nothing other than turning on the CSP Report Only header.
[1] https://youtu.be/1MXjk9ugJ9Y
[2] https://github.com/cdaringe/Safari-Content-Security-Policy-Report-Only-Breaks-CSP
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220713/f8a13619/attachment.htm>
More information about the webkit-unassigned
mailing list