Bug 265158 - Regression: Safari 17.1 blocking JS reading nonce for <style> and <link>
Summary: Regression: Safari 17.1 blocking JS reading nonce for <style> and <link>
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari 17
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-20 14:16 PST by Chris J. Shull
Modified: 2023-11-20 14:48 PST (History)
1 user (show)

See Also:

Attachments
Safari 17.0 (working) (306.02 KB, image/png)
2023-11-20 14:16 PST, Chris J. Shull 		no flags Details
Safari 17.1 (not working) (225.17 KB, image/png)
2023-11-20 14:16 PST, Chris J. Shull 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris J. Shull 2023-11-20 14:16:21 PST 
Created attachment 468689 [details]
Safari 17.0 (working)

The Google Maps JavaScript API reads the nonce value of an existing <style> or <link rel="stylesheet"> in order to inject more stylesheets with the same nonce. This worked in Safari 17.0

Starting in Safari 17.1, we are unable to read the nonce value in JS anymore, causing the Google Maps JavaScript API to render incorrectly on websites. Here is a test page reported by one of our customers: https://maps-bug-1a422.web.app/index.html

(We do the same thing for <script> elements, and that still works.)
Comment 1 Chris J. Shull 2023-11-20 14:16:45 PST 
Created attachment 468690 [details]
Safari 17.1 (not working)
Comment 2 Chris J. Shull 2023-11-20 14:20:23 PST 
test JS snippet:

document.querySelector('style[nonce],link[rel="stylesheet"][nonce]').nonce

should return he nonce value
Comment 3 Chris J. Shull 2023-11-20 14:48:02 PST 
Apologies, I think something went pinky in my Safari 17.0 tests. Now I *can repro* it there. I'm going to close this and open anew bug that is clearer.