Giving this post from a year ago some renewed focus.:
Are there large technical challenges to implementing a solution? If not, this should be prioritized.
It makes everyone’s site more secure, but would greatly help those of us building sites in industries that have more rigorous IT security / compliance benchmarks.
Not only is unsafe-inline required for scripts but also unsafe-eval, which essentially renders any CSP useless. It becomes little more than a decorative element at this point and will only serve as a means to get better ratings from page scanners but it will not be able to mitigate the real threats anymore.
Perhaps utilising nonces in strict-csp is a viable compromise.
At any rate, this is a pretty potent issue that should not be ignored for so long.