Problem with Content Security Policy header if there are 2 or more pages/posts

[yureiita]

I use Content Security Policy (CSP) header. Below is part of the CSP header:

Content-Security-Policy: script-src cusdis.com 'sha256-CqbIxSuOKdmSXIO5yL2+tpjMEOHdmUZnNptVhj1Q62o=' 'sha256-PpoMGG9w/Fjish9te4vIehw9nTfUo+74bZ2WUOfAXOo='; connect-src cusdis.com; style-src cusdis.com;

CSP prevent the execution of inline script, but it's not recommended to use script-src 'unsafe-inline'; so I used the hashes of the script to allow it to execute. The problem is the hashes of the inline script are different for every page/post due to the following inline script:

<script>\n      window.CUSDIS_LOCALE = ${JSON.stringify(window.CUSDIS_LOCALE)}\n      window.__DATA__ = ${JSON.stringify(e.dataset)}\n    <\/script>

The problem arise when there are two or more pages/posts in the website. Consider the following example where there are two pages/posts in the website:

Inline script for example.com/post1 where the hash is sha256-u7S9oMV/g49aCO9404X3Y98C87qUCp7kYOZPe79HeuQ=

      window.CUSDIS_LOCALE = undefined
      window.__DATA__ = {"host":"https://cusdis.com","appId":"appId","pageId":"pageId1","pageUrl":"https://example.com/post1/","pageTitle":"This is first post"}
    

Inline script for example.com/post2 where the hash is sha256-cYLu7JhrYU0FkQod2EEGCW0Hfrha/RsK6otfhvND+sA=

      window.CUSDIS_LOCALE = undefined
      window.__DATA__ = {"host":"https://cusdis.com","appId":"appId","pageId":"pageId2","pageUrl":"https://example.com/post2/","pageTitle":"This is second post"}
    

Imagine if there are hundreds of posts/pages in a website, there will be hundreds of the script hashes to be included in the CSP header.