Due to the increasing security contraints of our customers we are looking at the impact and requirements to have RUM working with CSP applied, as also described in Modify Content Security Policy for RUM | Dynatrace Documentation.
Unsafe_inline is generally still used and set in CSP, however we have to move to make use of Nonce or Hash instead, which, according to the documentation, for Auto Injection yet not supported.
Any pointers on how to correctly define the CSP for Agentless RUM manual insertion of Managed are highly appreciated. Taking in account that the URL of the Cluster ActiveGates behind a LB+WAF are within the customer's own domain.
A "Content-Security-Policy: default-src 'self' trusted.com *.trusted.com" is thinkable, if the CAGs reside at cag.trusted.com? What if the use of hash or nonce is demanded?
Nobody encountered the contraint yet, to prevent the use of unsafe-inline in CSP, if that is applicable at all ?