Strict CSP - without blob/unsafe.

[Ketec]

The description mentions full CSP support - but when enabled, it makes blob requests (disabled by company policies due to XSS risk).

Npm version page mentioned no blob/unsafe inline needed - out of date info?

It also does not pick up nonce from the scripts (even if i hardcoded a script tag in head with nonce value - blobs still send empty nonce)

[guybedford]

Yes nonces are not set for blobs, and blobs are required in the CSP policy, this is a requirement of the approach.

If can't have blobs in the policy, it may be advisable to lean into the existing baseline modules support instead of using newer features rather.