This has been brought up before, but I think it needs real addressing so that site owners can implement good Content Security Policies (CSP). I have also made a request through the road map. I thought I would outline the issue here and see if anyone else has an issue with this and if they have found a way to get around it until this feature is implemented.
A post was made back in Mar 2020 (Content-Security-Policy (CSP) header validation) and was quickly shut down as a “contact support”. Really this is a feature that helps with security of sites and those who wish to implement correct security policies.
The main thing to address is the addition of some JS code that is inserted into the
<head> tag of pages that contain forms on them. This beginning part of this code is shown below…
Honestly I think this is a bit of a hack, but whatever works I guess as long as it is following CSP guidelines of supporting a nonce attribute. For reference of CSP you can checkout this page… CSP: script-src - HTTP | MDN
unsafe-inline as part of their
What I propose is simply adding a setting that allows users to enter a nonce they can use (or even have it generated but retrievable through code) that then gets printed in that
I see the amount of effort for this rather low and would be a good service to your site owner community.
If anyone has any thoughts, please do let me know.