Page CSP breaks Element Picker

[Seirdy]

Description

Several different CSP directives can cause different kinds of breakages in the Brave adblocker's element picker UI.

• Blocking scripts via an explicit or implicit script-src: 'none' directive causes the page to turn blank during element-picking. In most cases, the element-picker still works; users just need to remember where the desired element is located and click that area, blind. In at least one case, the rules-box failed to render altogether.
• A sandbox directive that lacks allow-same-origin and/or allow-scripts will allow the element-picker to show, but render it non-interactive.

Steps to Reproduce

1. Visit https://seirdy.one/meta/csp-bug-reproduction/
2. Follow the steps on the page to re-produce the issue with four different Content-Security-Policy headers. Observe that the fetch directives on seirdy.one alone are enough to hide the rules box and turn the page blank. The sandbox directive without allow-scripts allow-same-origin renders the element-picker completely non-interactive.
3. For comparison, test on https://grapheneos.org which allows scripts from self.

Reproduces how often:

Consistently reproduced.

Brave version (brave://version info)

1.47.55 Chromium: 107.0.5304.91 (Official Build) nightly (64-bit)

Version/Channel Information:

I've been encountering this issue for months, so it should be visible in the stable and beta channels too.

Miscellaneous Information:

For comparison:

• uBlock Origin for Firefox only breaks upon encountering a sandbox directive without allow-scripts allow-same-origin; fetch directives do not break it.
• Adguard's experimental Manifest v3 version works perfectly well in Chromium on CSPs with sandbox allow-same-origin. Its element picker fails to load JavaScript if allow-same-origin is not present.

[Seirdy]

Other functionality broken by page CSPs: https://github.com/brave/brave-browser/issues/24577