Conversation around: how to configure the content security policy header read and annotated
https://www.drupal.org/project/csp (Drupal 8 only) mentioned unsafe-inline is mandatory for WYSIWYG to edit to work.
My question is that when I use a standard AJAX form with CSP enabled by default, I get the following when I click on the Submit button.
"He refused to run the script online because it violates the following Content Security Policy policy:" default-src & # 39; self & # 39; "Either the keyword & # 39; unsafe-inline & # 39 ;, a hash ([redacted]), or a nonce (& # 39; nonce -… & # 39;) is required to enable online execution. "
How can I add a hash or a nonce to the AJAX forms?
Do all Drupal 7 websites require insecure online for the WYSIWYG fields to work? Is that likely to be repairable?