CSP issue

[ganeddact]

Hi,

I'm currently reviewing and testing your module for a potential customer implementation. During our evaluation, we noticed that the module includes several inline JavaScript blocks that do not comply with our Content Security Policy (CSP) configuration, as they lack the required nonces or SHA hashes.

Our environment enforces a strict CSP, and starting with Magento 2.4.7, this policy is applied by default on the checkout page. It's anticipated that CSP enforcement will expand to other areas of the storefront in future releases.

Addressing these CSP compliance issues—by avoiding inline scripts or including proper nonces/hashes—would improve compatibility moving forward and ensure smoother adoption in secure environments.

[ganeddact]

sorry, forgot to post an example:
on vendor/trustpilot/module-reviews/view/frontend/templates/head/head.phtml there are several lines (3, 9, 15) that can be fixed by adding the attribute nonce="generateNonce(); ?>" (if you inject the Magento\Csp\Helper\CspNonceProvider in the block making it accessible from the phtml)

[hostep]

Ran into this as well, opened a PR for it: #108

But it seems like this repo is quite dead, so no idea if it will be picked up or not.