159832 2016-07-15 14:00:13 -0700 CSP: Do not send report violation for policies that have hash but not 'unsafe-inline' 2022-01-18 13:35:09 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED FIXED P2 Normal --- 159841 1 dbates webkit-unassigned bfulgham pgriffis wilander oldest_to_newest 1211555 0 dbates 2016-07-15 14:00:13 -0700 Suppose a page has the following markup: ... <head> <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-A'"> <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"> </head> <script>/* A script whose CSP SHA is 'sha256-A'. */</script> ... Then we should send exactly one CSP violation report that explains that the script was blocked because it violated the second CSP meta tag. We should have similar behavior for policies that have hashes for style elements. 1831795 1 pgriffis 2022-01-18 13:35:09 -0800 Fixed by r288132