In my experience, the header below, when enabled, blocks inline script on the page.
Content-Security-Policy: default-src 'self'.
Why is inline code not considered "self"?
I know I can use nonce or other work arounds to allow inline, or move to external files. I'm just interested to know why inline code isn't considered self.
Hope that makes sense
