There are only minor changes needed to make it compatible with most CSP (unless you're deploying nonces, in which case you wouldn't include a whole third party UI anyway).

So far I'm only getting two violations:

Remove all inline scripts

So far I believe this is the only one https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/views/job/list.pug#L6-L9 It can easily be removed and instead the main.js just extracts the state from the URL param or some data-attribute or whatever. Or use the classes which are already used https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/public/javascripts/main.js#L61-L65

Remove all inline styles

It looks like this is caused by jQuery (1.5.2, which was released in over 7 years ago), e.g. here https://github.com/Automattic/kue/blob/f0e6c065c70ea81dbe507d099f3e5d76728c31b0/lib/http/public/javascripts/jquery.min.js#L590 Kue works fine without it though. Not sure if later jQuery version are able to perform the feature detection in a different way or if you don't even need them if you don't support IE 7

Workaround

For now I've added the five inline scripts (for each init call with a different state) to my CSP

'sha256-AG7f2dWSVT7PzRVOg4vdj4QJT5TWZgibLrz+8noMzBo='
'sha256-HY4KrwsYRtScNIbuhzy+fjlt4gwD6XpPRDM+8/QhBx0='
'sha256-X6A98cKmTrgCjr9UC735GF0rSmlk/sNZ0/wUADbbzwA='
'sha256-pbfxrLZuFMjagsAbeuTNzfn6uHKI2KlQFEcQxfKyXqQ='
'sha256-j9K2ZLFsAilkvwC8Vg0wT0UAL6EftbWYTwRgPZMtsi4='

Automattic / kue

Make the web UI more Content Security Policy (CSP) friendly #1180

Remove all inline scripts

Remove all inline styles

Workaround