merging unsafe-inline with nonces/hashes

[bakkot]

The unsafe-inline source expression has no effect when a nonce-source or hash-source is specified (edit: or strict-dynamic, in scripts). Also, nonce-source and hash-source are effectively stricter versions of unsafe-inline, not orthogonal to it. Merging needs to take this into account:

• Unioning script-src 'unsafe-inline' with script-src nonce-asdf should produce script-src 'unsafe-inline', rather than script-src 'unsafe-inline' nonce-asdf (which is effectively script-src nonce-asdf).
• Intersecting script-src 'unsafe-inline' with script-src nonce-asdf should produce script-src nonce-asdf rather than script-src.

[bakkot]

Actually it's not clear whether producing script-src nonce-asdf for the intersection is the right call. script-src 'unsafe-inline' nonce-asdf is equivalent on modern browsers and is as restrictive as possible on browsers which do not support nonce sources.

[bakkot]

Yeah, on further consideration there's no safe way to do union or intersect these two policies. There is no way to express "allows any inline script, and also any script (even if external) with this nonce", nor "allows any inline script with this nonce, but not other inline scripts nor any external scripts".