Conversation around: how to set and read content-security-policy headers
https://www.drupal.org/project/csp (Drupal 8 only) mentioned that the unsafe-inline command is required for WYSIWYG changes to work.
My question is that when I use a standard AJAX form with CSP enabled by default, I receive the following text by clicking the submit button.
"Refused to run a script online because it violates the security directive of the following content:" default-src & # 39; self & # 39; "[redacted]), or a nuncio ("nuncio -…") is required to allow the online execution. "
How can I add a hash or a nonce to AJAX forms?
Do all Drupal 7 websites require unsecured registration for WYSIWYG fields to work? Is this likely to be fixable?