I am trying to load a 3rd party chat widget script onto my website. The script attempts to add inline styles to style the widget. I am getting this error
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' fonts.googleapis.com 1234.example.com". Either the 'unsafe-inline' keyword, a hash ('sha256-12345='), or a nonce ('nonce-...') is required to enable inline execution.
My current CSPs are:
CSP_STYLE_SRC = ("'self'", 'fonts.googleapis.com', '1234.example.com',)
CSP_SCRIPT_SRC = ("'self'", '1234.example.com',)
Normally to load random 3rd party scripts / styles I allow it in my CSP. How can I tell my CSP that I want to allow this JS file to add inline style? What I have now does not work.
This question was asked many years ago here. I do not want to allow unsafe-line. I believe there is no solution besides separating the CSS components out of the JS file and moving them to a separate CSS file.
