Intent
Tighter CSP: script-src currently allows unsafe-inline and unsafe-eval.
Scope
- Remove unsafe-eval (and unsafe-inline where feasible) using nonces/hashes.
- Verify third-party embeds (Donorbox, Shopify, Cloudinary) still work; document any exceptions.
Acceptance criteria
Touches: Cross-cutting.
Intent
Tighter CSP: script-src currently allows
unsafe-inlineandunsafe-eval.Scope
Acceptance criteria
Touches: Cross-cutting.