How to avoid having style-src 'self' 'unsafe-inline' for Content-Security-Policy

[dvillasenor-msft]

How does one avoid having 'unsafe-inline' when using vis.js? I add vis.js in my React project using npm. The styles appear to be injected inline in index.html after the page has loaded.

[dvillasenor-msft]

@lriho @yotamberk @mojoaxel as the last contributors to your project, may you be able to help here or know someone who can help with this question?

I used csp-html-webpack-plugin along with html-webpack-plugin which both should in theory add nonces/hashes for inline scripts/css files.

The catch is that it doesn't do it for dynamic inline styles that are added after the page is loaded.