One of the new features of APEX 24.2 is improved Content-Security-Policy Support. However disallowing inline javascript by setting corresponding Content-Security-Policy in HTTP Response Headers in Instance Security Settings makes the whole APEX Administration Services non-functional as all buttons cease to work (like logon to the console, cancel/apply changes etc.). This makes the featured change unusable. Help for "HTTP Response Headers" still states "Note that Oracle APEX generates inline JavaScript and CSS so the policy value needs to allow these.".
Documentation to 24.1 also stated “Improved Content-Security-Policy Support for Universal Theme” in Universal Theme Enhancements, but how it actually translates to ability to tighten the CSP is unknown to me.
On a related matter FR-2425 Generate "nonce" for inline scripts is documented as implemented with solution "Delivered. See Universal Theme Enhancements.)". But linked documentation does not contain any information about that, and there is not information about it's usability.
So my question is can we actually set secure Content-Security-Policy in APEX 24.2 instance and have all of it functional? Is it already complete solution or not? What are the required steps and settings to implement it?