Coverity indicates that |nsCSPContext::GetAllowsInline| can trigger an OOB read [1] in |nsCSPPolicy::allows| [2] when logging by calling |CSP_EnumToKeyword| [3] with the type |CSP_HASH|. Details are provided about CSP_HASH being treated differently [4], and we can see where this has [5] and has not [6,7,8,9,10] been worked around previously. As this is only exposed when the CSP logger is enabled, this should have minimal impact on end users. [1] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.h#146 [2] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPContext.cpp# [3] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#1036-1037 [4] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.h#125-128,137,143-145 [5] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#343 [6] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#597 [7] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#657 [8] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#691 [9] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#790 [10] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#1037

Thanks Eric, we should look into that and bail out early (not just using the static assert) in those cases.