Symfony version(s) affected: 3.4.40

Description
A change introduced in 3.4.40, can break content security policy when using the toolbar: #36315

The problem is that Symfony now sets {script,style}-src-elem which overrides {script,style}-src, I'll stick with referencing styles but the same problem exists from scripts.

How to reproduce

Given a simple policy of default-src https://example.com; style-src 'self', this permits CSS to be loaded from a file on the same origin.

$response->headers->set('Content-Security-Policy', "default-src https://example.com; style-src 'self'");

When the toolbar is enabled Symfony changes the policy to (I removed the script policies for simplicity):

default-src https://google.com; style-src 'self' 'unsafe-inline' 'nonce-123'; style-src-elem https://google.com 'unsafe-inline' 'nonce-123'

This now blocks CSS being loaded as style-src-elem overrides style-src and does not permit 'self'.

Possible Solution

If style-src-elem does not exist and style-src exists either:

• Do not create it
• Copy the style-src directives like is done from default-src

And apply the same fix for scripts.

Additional context

Whilst investigating this I found another bug with the way the 'none' token is handled: #36645