Web security scans of our application 'fail' because of the use of Content-Security-Policy and ‘unsafe-inline’ to support Javascript and CSS generated for the page, e.g. Dynamic Actions and Style attributes.
As far as I can see, there isn't much that a developer can do to fix this as the scripts/style attributes are generated by the APEX engine, e.g. I can't see how I would create a nonce or hash for each ‘inline’ item.
Is there a way of not using the CSP ‘unsafe-inline’ directive?
If not, is there a ‘caveat’ I can give to the security team explaining how APEX remains secure despite this directive?
Or… is this something that is being looked at for future APEX releases?