Why is script-src-elem not using values from script-src as a fallback?
After seeing this exact same pattern in some of my applications, I finally got to the root of this! The weirdness we were seeing was that CSP reports were coming in for a hostname which was definitely in the script-src directive; and we know that script-src-elem is supposed to fall back to those directives. From … Read more