Related to #18568, #20963.

Consider next code in "WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php":

if (!in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
    $headers[$header][$type][] = '\'unsafe-inline\'';
}
$headers[$header][$type][] = sprintf('\'nonce-%s\'', $nonces[$tokenName]);

If one of my CSP directives looks like style-src 'self' 'unsafe-inline'; than nonce-<hash> is not added. But when I remove the 'unsafe-inline' part, directive transforms to style-src 'self' 'unsafe-inline' 'nonce-%hash%'; and this cause CSP violation (Chrome 57.0.2987.110 (64-bit)):

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-b20c6f15cd91eebde540bfff16296462'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Consider last sentence: browser says that 'unsafe-inline' and 'nonce-<hash>' is incompatible. I looked in the docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script and found next notice:

To allow inline scripts and inline event handlers, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block can be specified.

So, it is only allowed to use 'unsafe-inline' or both nonce and hash, but not all together. The same is applied to 'script-src'.

ping @romainneutron