Default CSP breaks BE module

[georgringer]

currently following errors are shown in console

Formlog:1 Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/[email protected]/daterangepicker.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Fehler nachvollziehenAI
Formlog:1 Uncaught (in promise) TypeError: Failed to fetch dynamically imported module: https://gbw.ddev.site/_assets/85a1eecabf01f6599f591360f079ab1a/JavaScript/filter.js?bust=1741003605Fehler nachvollziehenAI
Formlog:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/[email protected]/+esm' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-viYAK_Wo58Kw977DPM98ijxrenbsmYnsE94XOcVypPAST7I8471iMw' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Fehler nachvollziehenAI
Formlog:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/[email protected]/+esm' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-viYAK_Wo58Kw977DPM98ijxrenbsmYnsE94XOcVypPAST7I8471iMw' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Fehler nachvollziehenAI

it is not allowed to load assets from different domains and only really done when needed, .e.g. google maps.

for this extension I strongly suggest to ship the scripts with the extension, there is no benefit at all to use a CDN nowadays and with CSP and GDPR, this doesn't work anyways

[mbrodala]

For now I'll adjust the CSP accordingly. Right now there is not much time to implement another asset bundling workflow. We recently dropped Grunt which was previously used for this. PRs to embed these libraries and allow for updates are welcome.