Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ ‘nonce-Vs0RA4diyTa6WTnfA4Cy3Q=='”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-DCi8t3r+YRqVUj7mwqQSCiWFl6zZOX7K41Xi0fvwscs=’), or a nonce (‘nonce-…’) is required to enable inline execution

Why can’t a malicious script read a nonce from the CSP Header and decorate itself with the nonce attribute to “whitelist itself”? Or is it too late at that point and the script has already been blocked by the browser?