Portal website error in Safari after latest updates

It seems that the latest Safari update and/or latest UCS update have produced some errors working with administration in the portal.

I can’t view users any longer in Safari and it looks like it is related to the following error.

Refused to apply a stylesheet because its hash, its nonce, or ‘unsafe-inline’ does not appear in the style-src directive of the Content Security Policy.

I am not getting this error in Firefox. Is anyone else seeing portal issues after running the latest Mac security/safari updates?

I played around with this a little more and manually added the ‘unsafe-inline’ directive in univention-portal.conf but that didn’t solve the problem.

I also looked into the dev tools in Firefox to see why it was working there, and in the console Firefox says

Content Security Policy: Couldn’t process unknown directive ‘style-src-elem’

So maybe it’s just a lucky quirk that it’s ignoring this directive and thus loading the elements Safari is refusing to based on the CSP directives.

It’s been a while since I was involved at a low level in web development so I don’t really have much experience or understanding of how all the newer security policy settings interact.

… a bit later…

On a whim while writing this I decided to download Chromium and see what it says.

Besides the not found error on /univention/portal/i18n/en.json, which also shows up in the other browsers, it gave a more detailed error explanation.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem 'self' 'sha256-kDRQ3dagwwb3nrm8xnMC0VgLt6lNN98+2oajznduaKI='". Either the 'unsafe-inline' keyword, a hash ('sha256-b3IrgBVvuKx/Q3tmAi79fnf6AFClibrz/0S5x1ghdGU='), or a nonce ('nonce-...') is required to enable inline execution.

I tried adding the additional hash, but it’s apparently not set in univention-portal.conf because I still get the same error.

So it looks like right now only Firefox works for me out of my 3 browsers and I fear that it may break also on a future update once it starts supporting the style-src-elem directive.