To ensure compatibility with very old browser versions (4+ years), you can add 'unsafe-inline' as a fallback. All recent browsers will ignore 'unsafe-inline' if a CSP nonce or hash is present.
https: and unsafe-inline don't make your policy less safe because they will be ignored by browsers which support strict-dynamic.
Accessibility First DevRel. I focus on ensuring content created, events held and company assets are as accessible as possible, for as many people as possible.
To ensure compatibility with very old browser versions (4+ years), you can add 'unsafe-inline' as a fallback. All recent browsers will ignore 'unsafe-inline' if a CSP nonce or hash is present.
https: and unsafe-inline don't make your policy less safe because they will be ignored by browsers which support strict-dynamic.
Source:
web.dev/strict-csp/#what-is-a-stri...
Ah, TIL, thanks!