Fix CSP style-src-elem allowlist

app/Http/Middleware/ContentSecurityPolicy.php

@@ -48,15 +48,6 @@ class ContentSecurityPolicy
             "'nonce-{$styleNonce}'",
             'https:',
         ];
-        $styleElemSources = [];
-        if ($allowUnsafeInlineStyles) {
-            $styleElemSources = [
-                "'self'",
-                "'unsafe-inline'",
-                'https:',
-                'data:',
-            ];
-        }
 
         $connectSources = [
             "'self'",
@@ -129,6 +120,11 @@ class ContentSecurityPolicy
         $styleSources[] = 'data:';
         $connectSources[] = 'https:';
         $fontSources[] = 'https:';
+        $styleElemSources = $styleSources;
+
+        if ($allowUnsafeInlineStyles) {
+            $styleElemSources = array_unique(array_merge($styleElemSources, ["'unsafe-inline'"]));
+        }
 
         $directives = [
             'default-src' => ["'self'"],

tests/Feature/SecurityHeadersTest.php

@@ -36,6 +36,7 @@ class SecurityHeadersTest extends TestCase
             $response->assertHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
             $response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
             $response->assertHeader('Content-Security-Policy');
+            $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
             $response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
             $response->assertCookie('XSRF-TOKEN');
 
@@ -46,6 +47,7 @@ class SecurityHeadersTest extends TestCase
 
             $login->assertOk();
             $login->assertHeader('Content-Security-Policy');
+            $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
             $login->assertHeader('X-Frame-Options', 'SAMEORIGIN');
             $login->assertCookie('XSRF-TOKEN');
         } finally {