Are there any plans underway to allow sites to retain (relatively) strict CSP in place whilst using the new apps? Seeing as you effectively MITM all webcontent, maybe even allowing a setting to have your proxies detect a nonce passed and (re)use this when injecting the app code into the web source. But i’m sure you could come up with better ideas. Presently the recommended use of just adding ‘unsafe-inline’ isn’t ideal.
As you can imagine providing a secure CSP while also allowing apps to be installed is a challenge, but it’s something we’re very interested in tackling. Ideally we will know what resources a given app needs and will be able to transparently update the CSP to include the absolute minimum set of permissions required. I can’t provide any specific details about when this will be available on Cloudflare Apps but it is absolutely something we are considering.