In short: no there’s no way (without using other plugins/code that filter inline JS).
I asked the same question to support a while ago and submitted it to the roadmap page (but not added to the list by GF). It seems this security issue has no priority at all…
Here the conversation:
Me:
Gravity Forms adds inline scripts to e.g. the submit button (see below). This makes it impossible to set a Content Security Policy without ‘unsafe-inline’. What can I do to use GF with a CSP without using ‘unsafe-inline’? And are there plans to move inline Javascript to files?
<input type="submit" id="gform_submit_button_135" class="gform_button button gfcom-btn gfcom-btn--dark" value="Submit" onclick="if(window["gf_submitting_135"]){return false;} if( !jQuery("#gform_135")[0].checkValidity || jQuery("#gform_135")[0].checkValidity()){window["gf_submitting_135"]=true;} " onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_135"]){return false;} if( !jQuery("#gform_135")[0].checkValidity || jQuery("#gform_135")[0].checkValidity()){window["gf_submitting_135"]=true;} jQuery("#gform_135").trigger("submit",[true]); }">
Support:
You can suggest adding CSP support directly to our product management team for consideration when planning future releases on our roadmap page at https://www.gravityforms.com/gravity-forms-roadmap/?c=submit-idea
Me:
So right now it’s not possible to use GF with a CSP without using ‘unsafe-inline’? And what about https://docs.gravityforms.com/security/#h-content-security-policy?
Support:
The filter mentioned in that article only applies tags output in the page header. CSP is not supported for the form specific inline scripts.