Ghost's stance on inline code and CSP?

I’ve been working on a Content Security Policy for my sites, and wanted to cover Ghost as well, but have hit a wall due to the inline code used in Ghost.

“Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash, or a nonce is required to enable inline execution.”

From what I’ve been able to gather, none of these methods are desirable, and Google considers inline code harmful!

So what’s Ghost’s stance on this issue?

How do you managed that?

Could be related to the theme your are using or it’s that way by default on every Ghost instance?