I’m evaluating a CSP policy using https://csp-evaluator.withgoogle.com/. The policy is configured as follow:
default-src 'self';object-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';script-src-elem 'self' 'unsafe-inline' 'unsafe-eval';script-src-attr 'self' 'unsafe-inline';
Why only 'unsafe-inline' of 'script-src' is reported as an high severity finding? From what I understood also 'script-src-elem' 'unsafe-inline' could be dangerous. What am I missing?
