User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20170920100426 Steps to reproduce: * Visited a page with a CSP which does *not* allow style-src 'unsafe-inline' * Inspected an element * Clicked in the "element {}" part of the Rules sidebar * Added a simple "color: blanchedalmond;" rule * Observed the rule wasn't applied. Actual results: * Seemingly, the developer tools tried to inject an inline style * A CSP error was generated: Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src http://localhost:9000 https://fonts.googleapis.com/"). Source: color: blanchedalmond;. Presumably a violation report would've been sent too, if this was configured, continuing to devalue valid CSP report information with noise. Expected results: Doing things in the developer tools (or anywhere in the browser) should not generate CSP violations, these sort of actvities should bypass the policy. A violation shouldn't have been generated, the style should have been applied. Why does this feature use inline style attributes or modify the DOM anyway (surely you could just get a unique selector for the element and append it to a temporary user agent stylesheet?)?

Thanks for filing. I think this is the same as bug 1391994, so I'm going to close this one as a duplicate for now. Please re-open if you think they are actually different.