I want to defer inline Javascript code passed in src and allowlist in CSP (Content-Security-Policy)
For deferring inline JS code, I referred: How to defer inline Javascript?
But I don't see a way to allowlist this in CSP.
Code
<script defer type="text/javascript" src="data:text/javascript,<code>"></script>
If I include data* in script-src directive I receive the violation
The source list for the Content Security Policy directive 'script-src' contains an invalid source: `data*`. It will be ignored.
Another approach I see is to use nonce but this will prevent other scripts from loading which do not have the nonce value.
I understand that there are other ways to defer the script including defining the script in an another local file or hosting it some external location but these two somehow does not work for me, due to other factors. Also I need the script to work globally hence module type will do no good.
Simply put, I want a way to allowlist Javascript code when passed in the SRC field instead of the script content.
