CSP with 'unsafe-inline' reported as without #338
Description
What information was incorrect, unhelpful, or incomplete?
Report shows
Content Security Policy (CSP) implemented without 'unsafe-inline' or 'unsafe-eval'
for
default-src 'self'; base-uri 'none'; img-src 'self' data:; style-src 'nonce-XXX' 'unsafe-inline' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; script-src 'nonce-XXX' 'report-sample'; form-action 'self'; frame-ancestors 'self'; connect-src 'none'; object-src 'none'; upgrade-insecure-requests; report-uri https://<DOMAIN>/@http-reporting?csp=report&requestTime=XXX&requestHash=XXX
What did you expect to see?
The message
Content Security Policy (CSP) implemented with unsafe sources inside style-src. This includes 'unsafe-inline', data: or overly broad sources such as https. 'form-action' is set to 'self', 'none' or 'specific source'
Do you have any supporting links, references, or citations?
No response
Do you have anything more you want to share?
No response