User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Steps to reproduce:

1.) Open Firefox
2.) visit about:blank or http://example.com
3.) open the console
4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)

Alternatively use the following example html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">
</head>
<body>
<img src="" onerror="alert(42)">
</body>
</html>

Actual results:

Alertbox with 42 is showing although CSP is prohibiting it (see attachment).

This is actually the expected behavior for:
script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A=' 'unsafe-hashes'

Expected results:

Inline event handler script should be blocked due to the CSP.
Inline event handlers may only be executed if there is no script-src (or default-src) or if 'unsafe-inline' is present.
Hashes may only match to inline scripts (via script tags). The newest 'unsafe-hashes' keyword should allow inline event handlers (and javascript: urls) to match hashes [1], however, this is not supported in Firefox yet [2, 3].

[1] https://www.w3.org/TR/CSP3/#unsafe-hashes-usage
[2] https://caniuse.com/?search=unsafe-hashes
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1343950

4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)

should be
4.) enter document.write(`<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<img src="" onerror="alert(42)">`)
(markdown ate the backticks)

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Attaching test case test easily on other systems.

I could not reproduce using the first steps to reproduce due to a syntax error; Step 4 may be incorrect.
I have managed to reproduce it with the HTML test page provided and the "42" text alert gets displayed.

I have attempted to provide a regression range, but it appears that bisection could not be finished. Results:
"2021-01-11T13:05:32: INFO : platform_version: 63.0a1
2021-01-11T13:07:18: INFO : Narrowed nightly regression window from [2018-07-14, 2018-07-16] (2 days) to [2018-07-15, 2018-07-16] (1 days) (~0 steps left)"