We're using a Lit web component that has embedded styles. We generate hash values for the styles (through a PostCSS plugin that is part of our Webpack build) and add them to the HTTP response header in the Content Security Policy header.
This approach works completely fine on nearly all browsers and devices: Chrome, Firefox, Safari on macOS, Safari on iOS all display the component.
However, on iPad Safari the same website doesn't load the component and I get lots of CSP violation errors. The versions of my iPhone and iPad are the same (15.6.1). Strangely enough, another component on the same page that also has a hash in the CSP works! It also only happens in our real application. My demo webserver displays the component on the iPad.
Is there any known difference in how iPads deal with CSP in comparison to iPhones or other browsers?
