<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Some extensions triggers CSP violation reports"

   href="https://bugs.webkit.org/show_bug.cgi?id=149000">149000</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Some extensions triggers CSP violation reports

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>New Bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dante3333&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Steps to reproduce the problem:

1. Create a page with a CSP policy (without putting style-src 'unsafe-inline') and with a report uri

2. Open the page

3. Use some extensions like Diigo, Evernote, etc.

4. a report is sent to report-uri

What is the expected behavior?

The extension should not trigger any CSP policy violation, according to wikipedia : browsers and add-ins should be exempt from CSP =&gt; <a href="https://en.wikipedia.org/wiki/Content_Security_Policy#Browser_add-ons_and_extensions_exemption">https://en.wikipedia.org/wiki/Content_Security_Policy#Browser_add-ons_and_extensions_exemption</a>

What went wrong?

A report is sent to report-uri with safari-extension:// as source, like

 blocked-uri: &quot;safari-extension://com.evernote.safari.clipper-q79wdw8yh9&quot; 

(which shouldn't be)

The report_uri script gets a CSP violation. Example on one of my websites :

{

    &quot;csp-report&quot;: {

        &quot;document-uri&quot;: &quot;<a href="http://a11y.nicolas-hoffmann.net/tabs/">http://a11y.nicolas-hoffmann.net/tabs/</a>&quot;,

        &quot;referrer&quot;: &quot;<a href="https://www.google.fr/">https://www.google.fr/</a>&quot;,

        &quot;violated-directive&quot;: &quot;frame-src 'self' &quot;,

        &quot;original-policy&quot;: &quot;default-src 'self';  script-src 'self' *.jquery.com  ; style-src 'self' 'unsafe-inline' data:  ; img-src 'self' data: ;  frame-src 'self' ; report-uri /csp-parser.php&quot;,

        &quot;blocked-uri&quot;: &quot;safari-extension://com.wotservicesoy.wot-ff6ww26hl3&quot;

    }

}

I don't know if it may help, the same bug is present on Blink: <a href="https://code.google.com/p/chromium/issues/detail?id=524356">https://code.google.com/p/chromium/issues/detail?id=524356</a> (with a lot of more details)</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>