Reports

I had the exact same issue. This isn’t a bug - Chrome automatically injects inline CSS when displaying XML files to make them look prettier with syntax highlighting and collapsible elements. Your CSP blocks these styles.

The Fix

Add these specific SHA256 hashes to your CSP policy:

Content-Security-Policy: style-src 'self' 
  'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 
  'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo=';
  img-src 'self' data: https://www.w3.org/2000/svg;

How to Get These Hashes

Method 1: Check Chrome DevTools Chrome actually tells you the hash in the error message! Look at your console error - it says ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='). That’s one of the hashes you need.

Method 2: Use Online CSP Hash Generator

Open your sitemap.xml in Chrome
Right-click → View Page Source
Copy any <style> content you see
Use a CSP hash generator tool to convert it to SHA256
Add the hash to your policy

Why These Specific Hashes?

'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' - Hash for Chrome’s base XML styling
'sha256-p08VBe6m5i8+qtXWjnH/AN3klt1l4uoOLsjNn8BjdQo=' - Hash for Chrome’s tree structure styles

These are the actual CSS content hashes that Chrome’s XML viewer uses.

Don’t Use unsafe-inline

// Bad - opens security holes
style-src 'self' 'unsafe-inline';

// Good - only allows Chrome's XML viewer styles  
style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=';

Using 'unsafe-inline' defeats the whole purpose of having CSP. The hash approach only allows the exact styles Chrome needs.

Why Firefox Works Fine

Firefox doesn’t inject inline styles for XML display, so it doesn’t trigger CSP violations.

Result

After adding those hashes:

✅ Chrome displays your sitemap.xml with proper formatting
✅ No more CSP errors in console
✅ Your security policy stays strict
✅ Search engines can still crawl normally

Tested this on Chrome 136+ and it works perfectly. Your sitemap will look nice and formatted while keeping CSP protection active.