I’ve been working on a Content Security Policy for my sites, and wanted to cover Ghost as well, but have hit a wall due to the inline code used in Ghost.
“Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash, or a nonce is required to enable inline execution.”
From what I’ve been able to gather, none of these methods are desirable, and Google considers inline code harmful!
So what’s Ghost’s stance on this issue?