Following up from Brent Fulgham's remark in bug #155007, comment 5, we should compute the digest for an inline script/stylesheet using the raw bytes from the page instead of the output from the parser to ensure that the computed hash matches the hash specified in the CSP. The output from the parser may differ in Unicode normalization and XML/HTML entity decoding from the raw byte representation of the inline script/stylesheet among other differences.
<rdar://problem/25041563>
Closing this as it is no longer relevant to modern CSP. All other browsers implemented CSP as hashing the UTF-8 encoded version of content and as of CSP3 this is now documented in the spec[0]. WebKit now follows that behavior as of r287270. [0] https://www.w3.org/TR/CSP3/#match-element-to-source-list