UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0

Steps to reproduce the problem:
1. On server, set CSP headers to contain: style-src 'self'
2. Serve an SVG with an inline style.
3. In chromium, load a webpage with an img src pointing to that SVG.

What is the expected behavior?
CSP will block the inline styles.

What went wrong?
CSP allows the inline styles.

Note, if you load the image directly in chromium, it will rightly block the style and issue a warning to the console.

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: Version 62.0.3202.62 (Developer Build) (64-bit)  Channel: stable
OS Version: Arch
Flash Version: NA

For debugging, I've attached an SVG with an inline style that makes it hard to read if blocked.

Firefox 57 correctly blocks this inline style.
 

Deleted: no-nonce.svg 9.4 KB

no-nonce.svg 9.4 KB Download