Has anyone gotten to publish an angular 2+ project and csp (with A + in mozilla observatory), without using the unsafe-inline alternative?
I'm trying to use the nonce alternative, but I have some doubts about it ...
Whose responsibility is it to generate the value of a nonce, client or server?
Any web server that you recommend for this case? (Currently the policy is being implemented in a lambda function of AWS from a cloud front)
Some way to inject or pass the nonce value to the client into the index.html to later read it from angular?. (by metatag, I think)
Thanks for your attention.