[WebProfilerBundle] New CSP directives broken with default-src

[Khartir]

WebProfilerBundle version(s) affected: 5.0.8 definitly, I assume 4.4.8 and 3.4.40 are affected as well.

Description
#36315 added support for style-src-elem and script-src-elem. However they are set to both unsafe-inline and nonce-. This is not allowed in Chrome: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem * 'unsafe-inline' 'nonce-597c34dd0a6b70c13de427990c2cfe3f'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

How to reproduce
Setup a new Smyfony 5 project, add nelmio/security-bundle and configure it to use default-src: *.
Alternatively create a controller that adds a CSP header:
$response->headers->add(['Content-Security-Policy' => 'default-src *']);
Any value other than unsafe-inline for default-src causes the bug.
Note that the incorrect headers are always send, but the error is only triggered if there is an inline style. Rendering the debug-bar will therefore cause the error.

[isofianos-thelist-app]

I am running a project in Symfony 3.4.40 using nelmio/security-bundle.
I also confirm that in Firefox show a warning about style-src-elem and script-src-elem but it works properly, when in Chrome it is not working at all.

Disabling CSP, setting default-src as * or unsafe-inline resolve the issue.
Also if running in production mode the issue is not happening.

[nicolas-grekas]

Anyone up for a PR to fix this issue?

[nicolas-grekas]

Actually, I'm closing in favor of #36643 and #36645
Please send a patch to fix these issue.