WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
265158
Regression: Safari 17.1 blocking JS reading nonce for <style> and <link>
https://bugs.webkit.org/show_bug.cgi?id=265158
Summary
Regression: Safari 17.1 blocking JS reading nonce for <style> and <link>
Chris J. Shull
Reported
2023-11-20 14:16:21 PST
Created
attachment 468689
[details]
Safari 17.0 (working) The Google Maps JavaScript API reads the nonce value of an existing <style> or <link rel="stylesheet"> in order to inject more stylesheets with the same nonce. This worked in Safari 17.0 Starting in Safari 17.1, we are unable to read the nonce value in JS anymore, causing the Google Maps JavaScript API to render incorrectly on websites. Here is a test page reported by one of our customers:
https://maps-bug-1a422.web.app/index.html
(We do the same thing for <script> elements, and that still works.)
Attachments
Safari 17.0 (working)
(306.02 KB, image/png)
2023-11-20 14:16 PST
,
Chris J. Shull
no flags
Details
Safari 17.1 (not working)
(225.17 KB, image/png)
2023-11-20 14:16 PST
,
Chris J. Shull
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Chris J. Shull
Comment 1
2023-11-20 14:16:45 PST
Created
attachment 468690
[details]
Safari 17.1 (not working)
Chris J. Shull
Comment 2
2023-11-20 14:20:23 PST
test JS snippet: document.querySelector('style[nonce],link[rel="stylesheet"][nonce]').nonce should return he nonce value
Chris J. Shull
Comment 3
2023-11-20 14:48:02 PST
Apologies, I think something went pinky in my Safari 17.0 tests. Now I *can repro* it there. I'm going to close this and open anew bug that is clearer.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug