I played around with this a little more and manually added the ‘unsafe-inline’ directive in univention-portal.conf but that didn’t solve the problem.
I also looked into the dev tools in Firefox to see why it was working there, and in the console Firefox says
Content Security Policy: Couldn’t process unknown directive ‘style-src-elem’
So maybe it’s just a lucky quirk that it’s ignoring this directive and thus loading the elements Safari is refusing to based on the CSP directives.
It’s been a while since I was involved at a low level in web development so I don’t really have much experience or understanding of how all the newer security policy settings interact.
… a bit later…
On a whim while writing this I decided to download Chromium and see what it says.
Besides the not found error on /univention/portal/i18n/en.json, which also shows up in the other browsers, it gave a more detailed error explanation.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem 'self' 'sha256-kDRQ3dagwwb3nrm8xnMC0VgLt6lNN98+2oajznduaKI='". Either the 'unsafe-inline' keyword, a hash ('sha256-b3IrgBVvuKx/Q3tmAi79fnf6AFClibrz/0S5x1ghdGU='), or a nonce ('nonce-...') is required to enable inline execution.
I tried adding the additional hash, but it’s apparently not set in univention-portal.conf because I still get the same error.
So it looks like right now only Firefox works for me out of my 3 browsers and I fear that it may break also on a future update once it starts supporting the style-src-elem directive.
