Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval?
I have some third party marketing/analytics scripts that has to be added and removed regularly. I would like to secure the page vs inline and eval style xss through user input. What would my CSP look like for this usecase? Thanks.
As you probably know you are not going to set 'unsafe-inline' or 'unsafe-eval' in the script-src directive. To allow everything else you can accept any host with * or accept everything on certain schemes such as https: data: and blob:, see https://www.w3.org/TR/CSP3/#framework-directive-source-list
For the other CSP directives you'll have to decide based on your use case and requirements of the third party code.
