Strict CSP seems to only work without Push and PWA annotations. For example adding a @Push annotation to the crm-tutorial sample project on GitHub breaks it:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-8853c815-6d5c-482f-9a19-0a3440bad51c'". Either the 'unsafe-inline' keyword, a hash ('sha256-42l3QX/grwVfMPqfeV2KpGFj3WKVY5nMfWpTY5CMQmE='), or a nonce ('nonce-...') is required to enable inline execution.
Understand this errorAI
indexhtml-ORb6PBP5.js:255 Refused to load the script 'http://localhost:8080/VAADIN/static/push/vaadinPush-min.js?v=0ec7f28a77fe02cd765c460a7d6e996d658b487200dfc4d9aaca5c2288920ad8' because it violates the following Content Security Policy directive: "script-src 'nonce-8853c815-6d5c-482f-9a19-0a3440bad51c'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Describe the solution you'd like
Add a built-in support or documentation how to achieve Strict CSP with Push supported.
Describe your motivation
Strict CSP seems to only work without Push and PWA annotations. For example adding a
@Pushannotation to the crm-tutorial sample project on GitHub breaks it:Describe the solution you'd like
Add a built-in support or documentation how to achieve Strict CSP with Push supported.