When the directives "script-src-elem" and "style-src-elem" directives are disabled, they are still added to the CSP header.
This is caused by the LibraryPolicyBuilder->getLibrarySources() function in combination with the implementation in ResponseCspSubscriber->onKernelResponse() function.
The getLibrarySources adds the detected hosts for each directive for both the "with elem" and "without elem" version of the directive.
The Response Subscriber just takes all returned directive keys and adds them to the policy. As a result you now have the "with elem" versions even though you had them disabled in the config.
Fixed
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This is not fixed- still experiencing script-src-elem and style-src-elem being added even though they are unchecked/disabled. I want these to not be included and to inherit from script-src and style-src. The fact that these redundant directives are added actually creates an exception on the server due to the size of the header.
It looks like this patch worked at one time, but the module has undergone a lot of refactoring since then.