Bug 276931

Summary: Safari ignores style-src-elem in CSP
Product: WebKit Reporter: Maxim Mazurok <maxim>
Component: Page LoadingAssignee: Ryan Reno <rreno>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, bfulgham, karlcow, rreno, webkit-bug-importer, wilander
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 18   
Hardware: Mac (Intel)   
OS: macOS 14   
See Also: https://bugs.webkit.org/show_bug.cgi?id=203757
https://github.com/web-platform-tests/wpt/pull/54080

Maxim Mazurok
Reported 2024-07-22 23:15:38 PDT
In short, when using <link> and @import approach to add CSS to my website, Safari 17 (both on Mac and on iOS) doesn't let them load even though they are allowed in style-src-elem directive. Workaround is to put them into style-src directive, which is less restrictive than style-src-elem, so it isn't preferred. See https://github.com/Maxim-Mazurok/csp-safari-issue for reproduction, and follow the steps from the README.md Another reproduction I found here: https://csplite.com/csp/test235/#test (you'll need to login to see it, and 2a and 3 test will fail in Safari and pass in Chrome/Firefox). Here's the full list of user-agents that experience the same issue on our production website: Mozilla/5.0 (iPad; CPU OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPad; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/126 Mobile/15E148 Version/15.0 Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.153 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.54 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/308.0.615969171 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/319.0.638705450 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/320.0.639621854 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/462.0.0.35.110;FBBV/609503125;FBDV/iPhone16,2;FBMD/iPhone;FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/463.0.0.32.110;FBBV/612837805;FBDV/iPhone16,2;FBMD/iPhone;FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/8.0.49(0x18003137) NetType/WIFI Language/zh_CN Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1; +http://www.apple.com/go/applebot) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-07-29 23:16:12 PDT
<rdar://problem/132783992>
Karl Dubost
Comment 2 2024-08-19 20:28:26 PDT
Maxim, Thanks for the reports Would you mind sharing the live site where this is happening?
Maxim Mazurok
Comment 3 2024-08-20 18:45:42 PDT
Hi Karl, Sure, here's a live website with a reproduction: https://csp-safari-issue.vercel.app/ It works in Chrome (funky font loaded), and it doesn't work in Safari (default font used). It is a deployment of the 'static' branch: https://github.com/Maxim-Mazurok/csp-safari-issue/tree/static Hope this helps!
Maxim Mazurok
Comment 4 2025-05-05 00:10:05 PDT
(In reply to Karl Dubost from comment #2) > Maxim, > > Thanks for the reports > Would you mind sharing the live site where this is happening? Hi Karl, it's been a while. I was wondering if you had a chance to check out the reproduction? It's still happening for me on Desktop Safari 18.3.1
Maxim Mazurok
Comment 5 2025-05-05 04:32:55 PDT
Same on Safari Version 18.4 (19621.1.15.111.1, 19621) on macOS 14.7.5 (23H527)
Ryan Reno
Comment 6 2025-07-29 22:06:57 PDT
Pull request: https://github.com/WebKit/WebKit/pull/48702
Karl Dubost
Comment 7 2025-07-29 22:31:32 PDT
@Maxim, Ryan found the source of the issue after investigating another public website where this is failing too.
Maxim Mazurok
Comment 8 2025-07-29 22:34:09 PDT
Awesome, thank you! I'm not familiar with WebKit sources, but PR looks promising!
Ryan Reno
Comment 9 2025-07-31 11:34:06 PDT
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/54080
EWS
Comment 10 2025-07-31 15:04:20 PDT
Committed 298104@main (3b36e1e3244a): <https://commits.webkit.org/298104@main> Reviewed commits have been landed. Closing PR #48702 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.