add unsafe-inline migration strategy

packages/backend-core/src/environment.ts

@@ -226,6 +226,8 @@ const environment = {
   MIN_VERSION_WITHOUT_POWER_ROLE:
     process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
   DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
+  // stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP
+  DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS,
 }
 
 export function setEnv(newEnvVars: Partial<typeof environment>): () => void {

packages/backend-core/src/middleware/contentSecurityPolicy.ts

@@ -1,4 +1,5 @@
 import crypto from "crypto"
+import env from "../environment"
 
 const CSP_DIRECTIVES = {
   "default-src": ["'self'"],
@@ -96,6 +97,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) {
       `'nonce-${nonce}'`,
     ]
 
+    if (!env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) {
+      directives["script-src"].push("'unsafe-inline'")
+    }
+
     ctx.state.nonce = nonce
 
     const cspHeader = Object.entries(directives)