Our initial Content-Security-Policy header in bug 1270157 had to use the 'unsafe-inline' style-src CSP directive, since:

• the react-select dependency uses the emotion package (CSS in JS) which uses inline styles. Bug 1507903 is filed for removing Treeherder's dependency on react-select.
• there are a few places left in our own codebase that use inline styles
• our usage of Font Awesome needs to be tweaked to manually import the CSS and disable automatic style injection - see: https://fontawesome.com/how-to-use/on-the-web/other-topics/security#policy

In the meantime it is important to ensure when reviewing frontend changes, that no more inline styles are added in our JSX.

What needs to be done here?

Nothing at the moment. Since we recently switched to using the Victory graph library, which uses inline styles, we're unable to set this directive in our CSP. (Most graph libraries have this problem and it's been cleared with our security team. It's not ideal, but ok to leave it for now.)