Why doesn't Chrome respect my Content Security Policy hashes?

I assume that you have your inline styles in style attributes (as opposed to inline <style> elements). According to the CSP specification, hashes should apply to inline <style> elements only, not to style attributes.

While Chrome displays a very confusing error message for style attributes, it actually complies with the specification (some other browsers, eg. Firefox and IE don't). You cannot allow inline style attributes using hash codes in CSP in Chrome. If you absolutely need to allow them, you have to use 'unsafe-inline'.

CSP 3.0 specification will probably include the possibility to extend the hash codes to style attributes by using 'unsafe-hashes'. This functionality is still in a "work in progress" state at the moment though and does not seem to be implemented in Chrome yet.

Example:

<?phpheader("Content-Security-Policy: style-src 'self' 'sha256-U/AHSCAVB2ZhU2+kPeMhPfZyIE2wH4fhQ0ZtYjq9/JA=' 'sha256-l8V8xXSfpuv7xbN4e0tIS0v77DG2xfSC1rSpNZak/K8='");header("Content-Type: text/html");?><!DOCTYPE html><html>  <head>    <!-- Inline style - 'sha256-U/AHSCAVB2ZhU2+kPeMhPfZyIE2wH4fhQ0ZtYjq9/JA=' -->    <style>.redtext {color: red;}</style>  </head>  <body>    <div class="redtext">This should be red - style from <style> element.</div>    <!-- Inline style in attribute - 'sha256-l8V8xXSfpuv7xbN4e0tIS0v77DG2xfSC1rSpNZak/K8=' -->    <div style = "color: green;">This should not be green - style from attribute should be disallowed even though its hash is included in style-src in CSP.</div>  </body></html>