http.headers.Content-Security-Policy.style-src-elem - Safari does not use this directive #24299
Labels
data:http 🚠
Compat data for HTTP features. https://developer.mozilla.org/docs/Web/HTTP
Comments
queengooborg
added
the
data:http 🚠
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
What type of issue is this?
Browser bug (a bug with a feature that may impact site compatibility)
What information was incorrect, unhelpful, or incomplete?
Safari does not check the style-src-elem directive when loading styles from a tag.
What browsers does this problem apply to, if applicable?
Safari
What did you expect to see?
The stylesheet should be loaded.
Did you test this? If so, how?
This was tested in Safari 17.6 on MacOS 14.6.1 and iOS 17.6.1.
I configured a Content-Security-Policy header with
style-src-elem 'self' https://cdnjs.cloudflare.com, yet styles from both my current domain andcdnjs.cloudflare.comdid not load. The following error was displayed for the CloudFlare resource:Refused to load https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy.
The same message appeared for another CSS file on my current domain.
While it's true that I did not have a
style-srcdirective, thestyle-src-elemdirective should be checked first.(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem)
Can you link to any release notes, bugs, pull requests, or MDN pages related to this?
No response
Do you have anything more you want to share?
No response
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem
MDN metadata
MDN page report details
http.headers.Content-Security-Policy.style-src-elemThe text was updated successfully, but these errors were encountered: