I have a website that integrates several CSS stylesheets from my own server and a stylesheet from a remote server.
I wanted to write my content security policy to allow all local stylesheets and only that one specific remote stylesheet. That was my attempt:
style-src 'self' 'sha256-L/W5Wfqfa0sdBNIKN9cG6QA5F2qx4qICmU2VgLruv9Y='
However, when I visited my website, Chrome 78 claimed that the remote stylesheet did not match existing content security policies and declined to apply it. I looked at this similar question where the solution should be applied
'unsafe-hashes', which did not solve my problem. It seems that there is a difference between an externally bound script and an inline script.
So my question is, why does Chrome claim that this script is not allowed? And what do I need to allow this script? (Apart from a general whitelist for the domain)