Drupal 7 AJAX form Content Security Policy

Conversation around: how to set and read content-security-policy headers

https://www.drupal.org/project/csp (Drupal 8 only) mentioned that the unsafe-inline command is required for WYSIWYG changes to work.

My question is that when I use a standard AJAX form with CSP enabled by default, I receive the following text by clicking the submit button.

"Refused to run a script online because it violates the security directive of the following content:" default-src & # 39; self & # 39; "[redacted]), or a nuncio ("nuncio -…") is required to allow the online execution. "

How can I add a hash or a nonce to AJAX forms?

Do all Drupal 7 websites require unsecured registration for WYSIWYG fields to work? Is this likely to be fixable?