Docs says:

- safemode: Only register modules that have ORIGIN_CORE as their origin.
  This disables ORIGIN_USER modules and mw.loader.store. (T185303, T145498)
  See also: OutputPage::disallowUserJs()

It does not disable all JS and CSS, it disables all user provided JS and CSS (for example scripts from user pages 'User:<User>/common.js', but also from mediawiki namespace like 'MediaWiki:Common.js' or Gadgets)
Scripts provide by mediawiki itself are still working.

In T325443#8475862, @Umherirrender wrote:

Docs says:

- safemode: Only register modules that have ORIGIN_CORE as their origin.
  This disables ORIGIN_USER modules and mw.loader.store. (T185303, T145498)
  See also: OutputPage::disallowUserJs()

It does not disable all JS and CSS, it disables all user provided JS and CSS (for example scripts from user pages 'User:<User>/common.js', but also from mediawiki namespace like 'MediaWiki:Common.js' or Gadgets)
Scripts provide by mediawiki itself are still working.

It doesn't work, though, from what you're saying, Common.css should also not be loaded, correct? If correct, then my original comment is correct because Common.css is still loaded.

In T325443#8475879, @OriginalAuthority wrote:

In T325443#8475862, @Umherirrender wrote:

Docs says:

- safemode: Only register modules that have ORIGIN_CORE as their origin.
  This disables ORIGIN_USER modules and mw.loader.store. (T185303, T145498)
  See also: OutputPage::disallowUserJs()

It does not disable all JS and CSS, it disables all user provided JS and CSS (for example scripts from user pages 'User:<User>/common.js', but also from mediawiki namespace like 'MediaWiki:Common.js' or Gadgets)
Scripts provide by mediawiki itself are still working.

It doesn't work, though, from what you're saying, Common.css should also not be loaded, correct? If correct, then my original comment is correct because Common.css is still loaded.

Yes, it includes Common.css.
Works for me with the current master and the latest REL1_39 from git

Steps to reproduce:

• Login as interface admin
• Go to MediaWiki:Common.css and include the content: #firstHeading { background-color: orange; }
• Go to Main Page and the heading should be orange
• Load the Main Page with safemode=1 and the heading is no longer orange

In T325443#8475892, @Umherirrender wrote:

In T325443#8475879, @OriginalAuthority wrote:

In T325443#8475862, @Umherirrender wrote:

Docs says:

- safemode: Only register modules that have ORIGIN_CORE as their origin.
  This disables ORIGIN_USER modules and mw.loader.store. (T185303, T145498)
  See also: OutputPage::disallowUserJs()

It does not disable all JS and CSS, it disables all user provided JS and CSS (for example scripts from user pages 'User:<User>/common.js', but also from mediawiki namespace like 'MediaWiki:Common.js' or Gadgets)
Scripts provide by mediawiki itself are still working.

It doesn't work, though, from what you're saying, Common.css should also not be loaded, correct? If correct, then my original comment is correct because Common.css is still loaded.

Yes, it includes Common.css.
Works for me with the current master and the latest REL1_39 from git

Steps to reproduce:

• Login as interface admin
• Go to MediaWiki:Common.css and include the content: #firstHeading { background-color: orange; }
• Go to Main Page and the heading should be orange
• Load the Main Page with safemode=1 and the heading is no longer orange

I'm also using the latest release and it isn't working? Following the above steps. This is also being reported over at Wiki.gg

Do you have $wgAllowSiteCSSOnRestrictedPages enabled? That allows Common.css to get through safemode.

In T325443#8476067, @Legoktm wrote:

Do you have $wgAllowSiteCSSOnRestrictedPages enabled? That allows Common.css to get through safemode.

Ah, I do, yes. Seems like an oversight? Or is that intentional?