I am integrating a cookie tool - OneTrust. I add them by adding scripts in the <head> of the html page. The scripts call other scripts and create inline styles.
I manage to embrace all scripts by adding a 'nonce' to this scripts. I have a problem with inline styles which are created on the CDN domain of the OneTrust tool.
Is it possible to load scripts that contain dynamically injected inline styles with the style-src 'self' set in the Content Security Policy (CSP)?
Has anyone resolved a similar problem yet or is the only solution to add an 'unsafe-inline' directive to the style-src in CSP?
OneTrust now has a "preview" feature where you can provide a nonce for your script, but it has to be enabled by their support team.
https://developer.onetrust.com/onetrust/docs/content-security-policy-cdn