Engineers at Google have developed and recommend using a strict CSP: https://csp.withgoogle.com/docs/strict-csp.html
The goal being to only allow scripts which have a nonce. There is no style-src directive in their CSP, so in our app I am able to load things like google fonts, external css sheets etc. without a nonce.
This seems like a lapse in their CSP, or I'm missing something?
I think what's happening is that the newer 'strict-dynamic' setting they recommend is allowing the autoloading of some of your dependancies.
The 'strict-dynamic' source expression aims to make Content Security Policy simpler to deploy for existing applications who have a high degree of confidence in the scripts they load directly, but low confidence in their ability to provide a reasonable list of resources to load up front.
It allows scripts which are given access to the page via nonces or hashes to bring in their dependencies without adding them explicitly to the page’s policy.
ref: https://w3c.github.io/webappsec-csp/#strict-dynamic-usage
