<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Multiple CSP policies (report-only and enforcing) do not intersect correctly"

   href="https://bugs.webkit.org/show_bug.cgi?id=158103">158103</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Multiple CSP policies (report-only and enforcing) do not intersect correctly

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Safari Technology Preview

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Macintosh

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>OS X 10.11

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebKit Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>webkit&#64;devd.me

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Test case: <a href="http://lingro.com:81/cgi-bin/csp-2-enforcing.py">http://lingro.com:81/cgi-bin/csp-2-enforcing.py</a>

Content-Security-Policy: script-src 'nonce-foobar123'; report-uri /enforcing, script-src www.google.com; report-uri /enforcing2

&lt;html&gt;

    &lt;head&gt;

        &lt;!-- This should execute without violations because it satisfies both policies --&gt;

        &lt;script nonce=&quot;foobar123&quot; src=&quot;<a href="https://www.google.com/jsapi?callback=alert&amp;1-ok">https://www.google.com/jsapi?callback=alert&amp;1-ok</a>&quot;&gt;&lt;/script&gt;

        &lt;!-- This should NOT execute because it violates the (enforcing) whitelist policy --&gt;

        &lt;script nonce=&quot;foobar123&quot; src=&quot;<a href="https://www.google.com.PL/jsapi?callback=alert&amp;2-reporting-bad">https://www.google.com.PL/jsapi?callback=alert&amp;2-reporting-bad</a>&quot;&gt;&lt;/script&gt;

        &lt;!-- This should NOT execute because it violates the (enforcing) nonce policy --&gt;

        &lt;script src=&quot;<a href="https://www.google.com/jsapi?callback=alert&amp;3-bad">https://www.google.com/jsapi?callback=alert&amp;3-bad</a>&quot;&gt;&lt;/script&gt;

    &lt;/head&gt;

    &lt;body&gt;

    &lt;/body&gt;

&lt;/html&gt;

--

These have two policies: one with nonce and another with host based policies. A script should execute when it has the right nonce and the host matches the host-src whitelist. But, all script tags get blocked. Firefox handles this correctly (at least based on my reading of the spec) but Chrome also breaks (but is fixing). 

Relatedly, there is a similar bug when one policy is report-only and another is enforcing: 

<a href="http://lingro.com:81/cgi-bin/csp-both-modes-safari.py">http://lingro.com:81/cgi-bin/csp-both-modes-safari.py</a>

thank you!</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>