Are there any plans to allow sites to retain ‘tight’ (ish) CSP when using these injected app? The couple I quickly looked at just added inline js with tags. It would be nice if they were instead loaded from a dedicated Cloudflare ‘apps’ subdomain which one could whitelist in the CSP ‘script-src’ but I realise this would be a major architectural change! An alternative may be to include a nonce value in the tag which the webmaster could provide to you by way of a new header, such as X-Cf-nonce? That is to say that the site-generated nonce be included in both the page’s CSP and returned in a header such that the injected app could use it to maintain compliance.
As you know unsafe-inline and eval are being frowned upon these days in security checks but appear presently mandatory for your apps without some kind of change. Adding a nonce would seem most logical, I guess.
EDIT: Actually I was looking in preview, in live mode things look better installed but there’s a bit of ‘data’.