Epic #87417: Integrate proper Content Security Policy (CSP) handling
For static files¶
<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".
For ("unsafe") inline assignments¶
Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c"> var inline = 1; </script>