Created attachment 468507 [details] expected result To reproduce, first load https://duckduckgo.com/ and then load https://expired.badssl.com/ In Epiphany, the expected result is for an insecure lock icon to be displayed on the TLS error page. But actually, the icon is blocked by DuckDuckGo's Content Security Policy, i.e. the CSP for the *previous* page is still being enforced for the next load, even though the next load is for a different website that has nothing to do with DuckDuckGo. This is probably specific to alternate HTML loads, but I'm not certain. The TLS error page works fine if I visit https://expired.badssl.com/ directly without first loading https://duckduckgo.com/ (I assume it won't be possible to reproduce the exact same error in Safari as the TLS error page is surely constructed differently, but it seems unlikely that the underlying bug is platform-specific.)
Created attachment 468508 [details] actual result Almost forgot to provide the error message from the web inspector: [Error] Refused to load ephy-resource:///org/gnome/epiphany/page-icons/channel-insecure-symbolic.svg because it does not appear in the img-src directive of the Content Security Policy.
Note that the error page isn't a normal navigation, its `WebPage::loadAlternateHTML()`, possibly leaving some state behind.
<rdar://problem/118411558>