CSP added but Lighthouse flags it as missing

[Mark Edlington]

Ive added a CSP via PHP but Lighthouse is still saying

'Ensure CSP is effective against XSS attacks'

Heres my CSP, is there something missing or set incorrectly that could be causing Lighthouse to flag it?

header("Content-Security-Policy: default-src 'self' *.fonts.googleapis.com; style-src fonts.googleapis.com; style-src-elem 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'nonce-$nonce'; object-src 'none'; base-uri 'self'; report-uri http://mydomain.co.uk ");

I created the CSP one instruction at a time and throughout the process Lighthouse kept telling me which instructions were missing or failing but once Id completed all of them it no longer told me anything was missing or incorrect but still flagged it as an issue?