Content Security Policy violation inconsistencies across browsers
I recently learned that Content Security Policy (CSP) violations are reported differently depending on the browser being used.
This CSP allows only the use of inline resources, such as inline <script> elements, inline event handlers, and inline <style> elements. In the example, I’m loading an external script (<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js">) to force a SecurityPolicyViolationEvent and I’m showing its details by listening to securitypolicyviolation events.
The main differences I noticed by running the examples in Chrome (v90.0.4430.212), Safari (v14.1), and Firefox (v88.0.1) are the following.
How the violated policy is configured to be treated by the user agent. This should be enforce or report. In Safari, this is not implemented yet, so it’s always undefined.
Directive whose enforcement uncovered the violation. To me, this is the biggest difference in violation even implementation.
