mkind

Thanks for the issue :+1: > We often use inline style="background-image: url(…)". There could be ways around this, but maybe it is just ok to allow unsafe-inline styles. Inline styles...

AFAIK CSP has an option to prevent clickjacking, too. We might also take this into account.

I like the idea to have a policy per view. This seems to be quite convenient via the [decorators](https://django-csp.readthedocs.io/en/latest/decorators.html). This allows us to have a maximal restrictive policy.

Instead of using `unsafe-inline`, we should use whitelisting via `nonces` or hashes. There is a [django-csp-nonce app]( https://pypi.python.org/pypi/django-csp-nonce) to do so.

There is an issue for [nonce support](https://github.com/mozilla/django-csp/issues/48) in django-csp.

> I am also experiencing this problem for some events. It seems to occur for event with a category. Recently experiencing the same for events without any category.

Maybe redundant to https://github.com/liqd/a4-opin/issues/1016