Bug 265173

Summary: Safari blocking JS reading nonce for <style> and <link>
Product: WebKit Reporter: Chris J. Shull <chrisjshull>
Component: WebCore Misc.Assignee: Anne van Kesteren <annevk>
Status: RESOLVED FIXED    
Severity: Normal CC: annevk, karlcow, mike, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 17   
Hardware: Unspecified   
OS: macOS 14   

Description Chris J. Shull 2023-11-20 20:53:16 PST 
The Google Maps JavaScript API reads the nonce value of an existing <style> or <link rel="stylesheet"> in order to inject more stylesheets with the same nonce.
(We do the same thing for <script> elements, and that works fine.)

This works fine in Chrome 119 and Firefox 119, but in Safari (tested on Version 17.1 - 18616.2.9.11.10, 18616) we are unable to read the nonce value in JS, causing the Google Maps JavaScript API to render incorrectly on websites. 

Here is a test page reported by one of our customers: https://maps-bug-1a422.web.app/index.html
Which is served with header:
Content-Security-Policy: default-src https:;script-src 'strict-dynamic' 'nonce-f4K3+nOnc3/';style-src 'nonce-f4K3+nOnc3/' https://fonts.googleapis.com;img-src https: data:

test JS snippet:

document.querySelector('style[nonce],link[rel="stylesheet"][nonce]').nonce

should return the nonce value, but instead returns empty string
Comment 1 Radar WebKit Bug Importer 2023-11-21 01:06:18 PST 
<rdar://problem/118676659>
Comment 2 Anne van Kesteren 2023-11-21 01:39:07 PST 
Thanks for taking the time to report this Chris, this looks like a silly oversight.
Comment 3 Anne van Kesteren 2023-11-21 01:49:18 PST 
Pull request: https://github.com/WebKit/WebKit/pull/20778
Comment 4 EWS 2023-11-22 01:56:05 PST 
Committed 271046@main (9ea548224a00): <https://commits.webkit.org/271046@main>

Reviewed commits have been landed. Closing PR #20778 and removing active labels.