Cannot add nonce key to adhere to the CSP policy

[pralhadstha]

Prerequisites

• [x] I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• [ ] The issue still exists against the latest master branch of yii2-widget-fileinput.
• [x] This is not an usage question. I confirm having read the widget documentation and demos.
• [ ] This is not a general programming / coding question. (Those should be directed to the webtips Q & A forum).
• [ ] This is not a source plugin (fileinput) issue. (Those should be directed to the plugin issues repo).
• [ ] I have attempted to find the simplest possible steps to reproduce the issue.
• [ ] I have included a failing test as a pull request (Optional).

Steps to reproduce the issue

1. Use the file widget anywhere and load the page.
2. This error is found in the console: "[Report Only] Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/bootstrap-icons@1.5.0/font/bootstrap-icons.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. [Report Only] Refused to load the font 'https://cdn.jsdelivr.net/npm/bootstrap-icons@1.5.0/font/fonts/bootstrap-icons.woff2?856008caa5eb66df68595e734e59580d' because it violates the following Content Security Policy directive: "font-src 'self'". [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-< nonce-key >'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list. "

Expected behavior and actual behavior

When I follow those steps, I see the above issue where I need to whitelist all the URLs and these are the external links I do not want to use in my application. Also, the script tags are missing the nonce key which I cannot add by myself to the source code.

I expected to adhere to the CSP policy by not using external assets links. Also, the script tag needs "nonce-" to adhere to the CSP policy which cannot be added to the script tag by ourselves.

Environment

Browsers

• [x] Google Chrome
• [x] Mozilla Firefox
• [ ] Internet Explorer
• [x] Safari

Operating System

• [x] Windows
• [x] Mac OS X
• [x] Linux
• [ ] Mobile

Libraries

• jQuery version:
• yii2-widget-fileinput version:

Isolating the problem

• [ ] This bug happens on the widget demos page
• [x] The bug happens consistently across all tested browsers
• [x] This bug happens when using yii2-widget-fileinput without other plugins
• [ ] I can reproduce this bug in a jsbin