Content Security Policy (Setting nonce value)

When you turn content security policy on in .env via "app.CSPEnabled = true" a nonce is created for every inline css and javascript for the debug bar but NOT for the kint inline script and inline styles. I can see the  {csp-style-nonce} text in the welcome page view file. The welcome page has styles and scripts with no nonce. My browser complains about these but doesn't complain about the kint js and css. Why?

How is the browser told what the nonce values should be? There are several. More than one for styles and more than one for scripts. If I use the CI feature  {csp-style-nonce} and  {csp-script-nonce} don't I also have to tell the browser about it in a Content-Security_Policy header? How do I do that for each nonce?

I've got this working. CI updates the header for you with the nonce values. Just edit app\Config\ContentSecurityPolicy.php and use an array to set scriptSrc, styleSrc, .... The nonce values will be dynamically added to these arrays for each page and page refresh. Don't forget to set app.CSPEnable = true in the .env file. Do not set the following:

# contentsecuritypolicy.defaultSrc = 'none'
# contentsecuritypolicy.scriptSrc = 'self'
# contentsecuritypolicy.styleSrc = 'self'
# contentsecuritypolicy.imageSrc = 'self'

If you use these they will get blown away when CI adds the nonce values.

Simpler is always better