note that for inline style/script, as long as you're not using `style=''` or `onclick=''` , you can use `nonce=` to have a hash and to my understanding, newly added inline script will not be tolerated, allowing to have the best of both world
It does seem like CSP nonces do not play well with caching (since they must have a different value on each page load), which would make them a detriment to performance.
It does seem like CSP nonces do not play well with caching (since they must have a different value on each page load), which would make them a detriment to performance.
You can also include a hash of the contents in the CSP, which plays well with caching.
True, a hash works as a good alternative. (Unless you're doing super weird stuff like generating inline scripts at runtime.)