We should send a CSP violation report and log a console message when there is a nonce violation in a report-only policy.
(In reply to comment #0) > We should send a CSP violation report and log a console message when there > is a nonce violation in a report-only policy. Further elaborating, we need to send a CSP violation report and log a console message for each report-only that does not contain the nonce even if the nonce is found in all enforced policies. For example: ... Content-Security-Policy-Report-Only: script-src 'nonce-NonExistentNonce' Content-Security-Policy: script-src 'nonce-A' ... <html> <body> <script nonce="A">...</script> </body> </html> This should send exactly one CSP violation report and log exactly one console message that explains that the nonce "A" was not found in the report-only policy.