WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
276931
Safari ignores style-src-elem in CSP
https://bugs.webkit.org/show_bug.cgi?id=276931
Summary
Safari ignores style-src-elem in CSP
Maxim Mazurok
Reported
2024-07-22 23:15:38 PDT
In short, when using <link> and @import approach to add CSS to my website, Safari 17 (both on Mac and on iOS) doesn't let them load even though they are allowed in style-src-elem directive. Workaround is to put them into style-src directive, which is less restrictive than style-src-elem, so it isn't preferred. See
https://github.com/Maxim-Mazurok/csp-safari-issue
for reproduction, and follow the steps from the README.md Another reproduction I found here:
https://csplite.com/csp/test235/#test
(you'll need to login to see it, and 2a and 3 test will fail in Safari and pass in Chrome/Firefox). Here's the full list of user-agents that experience the same issue on our production website: Mozilla/5.0 (iPad; CPU OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPad; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 15_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/126 Mobile/15E148 Version/15.0 Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.153 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/126.0.6478.54 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/308.0.615969171 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/319.0.638705450 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/320.0.639621854 Mobile/15E148 Safari/604.1 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/462.0.0.35.110;FBBV/609503125;FBDV/iPhone16,2;FBMD/iPhone;FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBAV/463.0.0.32.110;FBBV/612837805;FBDV/iPhone16,2;FBMD/iPhone;FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/8.0.49(0x18003137) NetType/WIFI Language/zh_CN Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1; +
http://www.apple.com/go/applebot
) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-07-29 23:16:12 PDT
<
rdar://problem/132783992
>
Karl Dubost
Comment 2
2024-08-19 20:28:26 PDT
Maxim, Thanks for the reports Would you mind sharing the live site where this is happening?
Maxim Mazurok
Comment 3
2024-08-20 18:45:42 PDT
Hi Karl, Sure, here's a live website with a reproduction:
https://csp-safari-issue.vercel.app/
It works in Chrome (funky font loaded), and it doesn't work in Safari (default font used). It is a deployment of the 'static' branch:
https://github.com/Maxim-Mazurok/csp-safari-issue/tree/static
Hope this helps!
Maxim Mazurok
Comment 4
2025-05-05 00:10:05 PDT
(In reply to Karl Dubost from
comment #2
)
> Maxim, > > Thanks for the reports > Would you mind sharing the live site where this is happening?
Hi Karl, it's been a while. I was wondering if you had a chance to check out the reproduction? It's still happening for me on Desktop Safari 18.3.1
Maxim Mazurok
Comment 5
2025-05-05 04:32:55 PDT
Same on Safari Version 18.4 (19621.1.15.111.1, 19621) on macOS 14.7.5 (23H527)
Ryan Reno
Comment 6
2025-07-29 22:06:57 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/48702
Karl Dubost
Comment 7
2025-07-29 22:31:32 PDT
@Maxim, Ryan found the source of the issue after investigating another public website where this is failing too.
Maxim Mazurok
Comment 8
2025-07-29 22:34:09 PDT
Awesome, thank you! I'm not familiar with WebKit sources, but PR looks promising!
Ryan Reno
Comment 9
2025-07-31 11:34:06 PDT
Submitted web-platform-tests pull request:
https://github.com/web-platform-tests/wpt/pull/54080
EWS
Comment 10
2025-07-31 15:04:20 PDT
Committed
298104@main
(3b36e1e3244a): <
https://commits.webkit.org/298104@main
> Reviewed commits have been landed. Closing PR #48702 and removing active labels.
fiyaas007
Comment 11
2026-01-31 10:51:45 PST
(In reply to Maxim Mazurok from
comment #0
)
> In short, when using <link> and @import approach to add CSS to my website, > Safari 17 (both on Mac and on iOS) doesn't let them load even though they > are allowed in style-src-elem directive. Workaround is to put them into > style-src directive, which is less restrictive than style-src-elem, so it > isn't preferred. > > See
https://github.com/Maxim-Mazurok/csp-safari-issue
for reproduction, and > follow the steps from the README.md > > Another reproduction I found here:
https://csplite.com/csp/test235/#test
> (you'll need to login to see it, and 2a and 3 test will fail in Safari and > pass in Chrome/Firefox). > > Here's the full list of user-agents that experience the same issue on our > production website: > > Mozilla/5.0 (iPad; CPU OS 17_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, > like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPad; CPU OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, > like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPad; CPU OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.5 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 15_8 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) FxiOS/126 Mobile/15E148 Version/15.0 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 > Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) CriOS/125.0.6422.80 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 > Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) CriOS/126.0.6478.153 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) CriOS/126.0.6478.54 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) GSA/308.0.615969171 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) GSA/319.0.638705450 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 > (KHTML, like Gecko) GSA/320.0.639621854 Mobile/15E148 Safari/604.1 > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 > [FBAN/FBIOS;FBAV/462.0.0.35.110;FBBV/609503125;FBDV/iPhone16,2;FBMD/iPhone; > FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 > [FBAN/FBIOS;FBAV/463.0.0.32.110;FBBV/612837805;FBDV/iPhone16,2;FBMD/iPhone; > FBSN/iOS;FBSV/17.5.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_GB;FBOP/80] > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 > MicroMessenger/8.0.49(0x18003137) NetType/WIFI Language/zh_CN > Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) > AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 > Safari/604.1 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/16.3 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/16.6 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.0 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1; > +
http://www.apple.com/go/applebot
) > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.4.1 Safari/605.1.15 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, > like Gecko) Version/17.5 Safari/605.1.15 > Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/125.0.0.0 Safari/537.36 > Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/126.0.0.0 Safari/537.36
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug