Better practice for modern CSP-compliant style

Hello,
I know that the nature of Wappler is to create inline javascript inside html elements, like: onclick and every dynamic event that fire a inline javascript.

Maybe will be an opportunity to refactor the way that Wappler create Dynamic Events as inline javascript and allow modern CSP-compliant style, this is moving every inline javascript into a separate file and allow into the property windows to add the tag “integrity” to allow write the “hashes” or “nonces”, and maybe, just maybe generate automatically on every <script> and <style> tag the propper integrity, something like this: https://www.srihash.org/.

Right now in an Sample Audit review, checking about Cross-Site-Scripting, in the CSP rules, Wappler did not pass.

With this in mind, how secure is a made with Wappler web or app without this rules?

SRI hashes are for third-party scripts, so your page only loads trusted scripts. There’s no difference between moving Wappler stuff to a separate file and adding a SRI hash or directly loading in-line stuff, because if your HTML is compromised you can easily change the hash.

That being said, an SRI hash is only useful if you’re loading third-party scripts. What scripts are you using on your website that aren’t part of Wappler core libraries?

Also, it’s not possible to use SRI on every script tag you might have. For example, Google reCaptcha, because they may want to modify the script on a regular basis

I use SRI for things that are unlikely to change, such as scripts or CSS with clearly defined versions, so I know the hash won’t change