I just had a surprising discussion with Gravity Forms’ support. In their support article Security Best Practices, they recommend enabling a secure CSP. They also write:
As of Gravity Forms 2.5.8, script tags for the form inline scripts are now generated by WordPress 5.7+, which makes it possible to use the wp_inline_script_attributes filter to add attributes to the tag, such as the nonce required by CSP.
This should apparently not be interpreted (!?) as “all scripts tags”… just some script tags. According to the support agent, the text does NOT even indicate Gravity Forms’ being compatible with a secure CSP.
Does anyone here interpret the recommendations as Gravity Forms not supporting secure CSPs and/or that only some of the scripts are enqueued in a secure CSP compatible way?
Please note: most plugins and themes are not compatible with secure CSPs. You even have to remove some WordPress core scripts to make WordPress itself compatible. I just find the situation very strange.