The 'unsafe-hashes' keyword allows websites to use hashes in their CSP
to allow list event handlers and style attributes.
We landed disabled support for unsafe-hashes in Firefox 108 with
https://bugzilla.mozilla.org/show_bug.cgi?id=1797070, which also
included a fix for a security bug. The security bug basically meant
that Firefox behaved like every policy included 'unsafe-hashes'. There
is at least one website that breaks with the security bug fixed and
without support for unsafe-hashes:
https://bugzilla.mozilla.org/show_bug.cgi?id=1805948
* Because of the observed breakage we might decide to uplift this
feature into earlier versions of Firefox.