Using CRA with Content Security Policy (CSP)

[AlexanderKidd]

Hello,

I've noticed a strict CSP for style-src will cause the style loader of webpack to be unhappy when it tries to append inline CSS:

I was wondering if I need to use a webpack dev server to take advantage of using a nonce token, or if CRA had a way of circumventing this style issue during development. The REACT_APP_INLINE_RUNTIME_CHUNK=false value doesn't seem to help in this case (in fact, I'm not seeing a difference in the resources that come over the wire between setting it to true vs. false).

I'm using the plain npm start in react-scripts.