Safari seems to not support CSP nonces on link tags being used to preload JS

Question

I'm using Safari 14.0.3 on Mac, and rendering the following link tag:

<link rel="preload" href="/_next/static/chunks/194.js?ts=1619710448027" as="script" nonce="Hkb65_tcgqVrk2Zk">

My CSP header includes the following:

script-src 'strict-dynamic' 'unsafe-eval' 'nonce-Hkb65_tcgqVrk2Zk';

As you can see, the correct nonce is being applied to the link tag. This works correctly in Chrome and FF, but Safari throws the error:

[Error] [Report Only] Refused to load https://dev.example.com:4200/_next/static/chunks/194.js?ts=1619710448027 because it does not appear in the script-src directive of the Content Security Policy.

I haven't been able to find anything online about Safari failing to support nonces on link tags. Hoping someone can tell me how to solve this or point me to resources that at least confirm it isn't possible.

Answer 1

Yes, Safari does not support 'nonce-value' for the <link rel="preload" construction. BTW, the Firefox browser - too, it allows preloading resourses even without 'nonce-value'. Only Chrome support nonces in preloading scripts and styles.

You needlessly fear the use of the 'self' token - it is cancelled when paired with 'strict-dynamic' token in CSP3 browsers (modern Chrome and Firefox). Therefore 'self' will only work in Safari which does not support 'strict-dynamic'.
I think you found a good decision for the issue - to use CSP in browsers backward compatibility mode.