CSP policy is wrong when whitespace is missing before 'self'

[danielcl]

I just realized that you need to write the policy like this in order for the nonce to work:

policy: {
        "default-src": "'self'",
        "img-src": "'self'",
        "style-src": " 'self' 'unsafe-inline'",
        "script-src": " 'self' 'unsafe-eval'"
    },

Important are the whitespaces before 'self'. If there are no whitespaces it will generate a wrong csp policy and Chrome for example shows a warning like this:

The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-157452790003100'unsafe-eval''. It will be ignored.