'base-uri' violation example
In Safari, removing a base element from a page that has a
Content Security Policy base-uri directive causes a CSP
violation — regardless of the base-uri's value.
You can test this behaviour using this page.
This HTML document is served with a "base-uri 'self'" Content
Security Policy, and there's a
<base href="https://mmazzarolo.com/"> element in its
body.
The base element will be removed from the page by pressing
the button below, and if you're on Safari, a CSP violation will be
reported (in the console).
For more info, check out my "Yet another browser-specific CSP quirk: Safari and base-uri" blog post.