Being Unsafe Safely: Content-Security-Policy quirks.
A nice trick to help secure your website is the fact that browsers handle headers only when they are parsed, almost as if it is intentional that this works!
<!doctype html>
<meta
http-equiv="Content-Security-Policy"
content="default-src 'none'; style-src 'unsafe-inline';"
>
<style> /* These styles work! */ </style>
<meta
http-equiv="Content-Security-Policy"
content="style-src 'none';"
>
<style> /* These styles DON'T work! */ </style>