Form AJAX Drupal 7 Content Security Policy

Conversation around: how to configure the content security policy header read and annotated

https://www.drupal.org/project/csp (Drupal 8 only) mentioned unsafe-inline is mandatory for WYSIWYG to edit to work.

My question is that when I use a standard AJAX form with CSP enabled by default, I get the following when I click on the Submit button.

"He refused to run the script online because it violates the following Content Security Policy policy:" default-src & # 39; self & # 39; "Either the keyword & # 39; unsafe-inline & # 39 ;, a hash ([redacted]), or a nonce (& # 39; nonce -… & # 39;) is required to enable online execution. "

How can I add a hash or a nonce to the AJAX forms?

Do all Drupal 7 websites require insecure online for the WYSIWYG fields to work? Is that likely to be repairable?