VULNERABILITY DETAILS
On a web page with a Content Security Policy, the CSP header is ignored in the response Preview on the DevTools Network panel. When the CSP is in a header, the images, stylesheets, and webfonts are requested and displayed as if there were no CSP. The CSP appears to be respected when it is in a meta tag (though displaying the preview seems to cause the thumbnail images from #860840 to reload).

VERSION
Chrome Version: 67.0.3396.99 stable
Operating System: Windows 10 Pro Version 1803 OS Build 17134.112

REPRODUCTION CASE
The preview only seems to load resources with full URLs, so that is an important part of reproducing this.
Run a local PHP development server with this command: php -S localhost:9999
Load http://localhost:9999/index.php with DevTools open to the Network panel.
See the text is not bold, and log.php has Status (blocked:csp) (and log.txt is empty).
Click index.php on the Network panel, then go to the Preview tab.
See the text is bold in the preview.
Open log.txt and see that a request was logged by log.php.

index.php:
<?php
    header("Content-Security-Policy: default-src 'none'");
?>
<!DOCTYPE html>
<link href="http://localhost:9999/log.php" rel="stylesheet">
This text should not be bold.

log.php:
<?php
file_put_contents('log.txt', var_export($_SERVER, true) . PHP_EOL, FILE_APPEND);
header('Cache-Control: no-cache, no-store, must-revalidate');
header('Content-Type: text/css');
?>
body {
	font-weight: bold;
}

log.txt:
[Empty file that log.php can write to]