You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Browser bug (a bug with a feature that may impact site compatibility)
What information was incorrect, unhelpful, or incomplete?
Safari does not check the style-src-elem directive when loading styles from a tag.
What browsers does this problem apply to, if applicable?
Safari
What did you expect to see?
The stylesheet should be loaded.
Did you test this? If so, how?
This was tested in Safari 17.6 on MacOS 14.6.1 and iOS 17.6.1.
I configured a Content-Security-Policy header with style-src-elem 'self' https://cdnjs.cloudflare.com, yet styles from both my current domain and cdnjs.cloudflare.com did not load. The following error was displayed for the CloudFlare resource:
The same message appeared for another CSS file on my current domain.
While it's true that I did not have a style-src directive, the style-src-elem directive should be checked first.
The HTTP Content-Security-Policy (CSP) style-src-elem directive specifies valid sources for stylesheet <style> elements and <link> elements with rel="stylesheet".
If this directive is absent, the user agent will look for the style-src directive, and if both of them are absent, fall back to default-src directive.
What type of issue is this?
Browser bug (a bug with a feature that may impact site compatibility)
What information was incorrect, unhelpful, or incomplete?
Safari does not check the style-src-elem directive when loading styles from a tag.
What browsers does this problem apply to, if applicable?
Safari
What did you expect to see?
The stylesheet should be loaded.
Did you test this? If so, how?
This was tested in Safari 17.6 on MacOS 14.6.1 and iOS 17.6.1.
I configured a Content-Security-Policy header with
style-src-elem 'self' https://cdnjs.cloudflare.com
, yet styles from both my current domain andcdnjs.cloudflare.com
did not load. The following error was displayed for the CloudFlare resource:Refused to load https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
The same message appeared for another CSS file on my current domain.
While it's true that I did not have a
style-src
directive, thestyle-src-elem
directive should be checked first.(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem)
Can you link to any release notes, bugs, pull requests, or MDN pages related to this?
No response
Do you have anything more you want to share?
No response
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem
MDN metadata
MDN page report details
http.headers.Content-Security-Policy.style-src-elem
The text was updated successfully, but these errors were encountered: