Page Comparison

...

default-src 'none';
connect-src https://your.host;
font-src https://your.host;
img-src https://your.host;
frame-src https://your.host;
style-src 'unsafe-inline' 'unsafe-evalhttps://your.host;
script-src 'nonce-rAndom' https://your.host;
script

style-src

...

Having of 'unsafe-inline'

...

for styles is required as a temporary while we fix our and third party code to avoid this. The improved solution is scheduled to be delivered in late March 2024.

script-src

The most secure way to integrate GRAVITY in CSP protected product will be:
for each document request generate a random base64-encoded string of at least 128 bits from a cryptographically secure random number generator (for example ZDNn103nceIOfn33fn6e1h3dhrs ) and use that value as the CSP header script-src 'nonce-ZDNn103nceIOfn33fn6e1h3dhrs' https://your.host; and as a part of GRAVITY integration script:

<script>
var head = document.getElementsByTagName('head')[0];
var script = document.createElement('script');
script.setAttribute('nonce', 'ZDNn103nceIOfn33fn6e1h3dhrs')
...

If, for some technical reason, it is not possible to generate the random nonce for every request, a static value can be used instead, but this reduces the level of protection.