So to summarise briefly: The plugin "System - HTTP Headers" does not seem to include the "strict-dynamic" in the Joomla! website, nor the "nonce" in the header. However, the "Nonce" is correctly inserted in the HTML.
@zero-24 maybe any idea?

Yes strict-dynamic is only added once you set an initial script-src rule and the nonce are added once you add the "{nonce}" placeholder.

Not sure whether we want it but we can force the nonce and the strict-dynamic option to be set in the case that option is enabled. The placeholders might also be mentiond on the descriptions to make it easier to understand?

Ok, that you have to use "{nonce}" is not really obvious though. Have also in the plugin no documentation found to it. This should be documented somewhere in any case, otherwise you do not understand why no nonce is effective (so not present in the CSP).

I use the standard template "Cassiopeia", with inline scripts and inline styles the nonce is added correctly, but not with a "script src=file.js", which leads to the fact that no JavaScript is loaded at all, is that in the sense of the inventor?

Please set script-src = 'self' {nonce} that should fix the issue by allowing the hosted JS files.

Yes, this solves the problem, but it is not really a secure CSP header. Only the nonce in the script-src would be better. In a transitional phase, possibly also in combination with strict-dynamic. Compare: https://cspscanner.com and https://csp-evaluator.withgoogle.com - Is it intended in the plugin that the scripts are automatically equipped with a nonce in the HTML?

Yes, this solves the problem, but it is not really a secure CSP header.

Why? Allowing the locally stored JS files should be ok or I'm missing something? From my understading its ignored within CSP3 anyway when there is strict-dynamic

Only the nonce in the script-src would be better.

Yes when you only have inline scripts. Ideally even the nonce should not be required just "script-src 'self'" when all inline stuff is converted to static js files?

Is it intended in the plugin that the scripts are automatically equipped with a nonce in the HTML?

Yes inline scripts passed to the html via the joomla api.

Ok, then I'll make the distinction clear:

script-src 'self' 'nonce-XXX' 'strict-dynamic'

Here, as you have already written, self is ignored, but also all JavaScript files that are included via <script src="file.js"> are blocked by the CSP header, as they do not have a nonce.
(Chrome incorrectly indicates here that script-src-elem would be the problem, however, this does not occur in the CSP at all, so it falls back to script-src)

script-src 'self' 'nonce-XXX'

Here, the JavaScript files that are included via <script src="file.js"> are no longer blocked. But the warning message is already obvious for locally embedded files.

Here, as you have already written, self is ignored, but also all JavaScript files that are included via <script src="file.js"> are blocked by the CSP header, as they do not have a nonce.

Ok so also <script src="file.js"> needs a nonce? Should be possible as the nonce is an option of the webapplication. Not sure form the top of my head where that is generated within joomla but as long its passed via the api there should be a place to add this.

Ok so also <script src="file.js"> needs a nonce?

Exactly, compare also: https://content-security-policy.com/strict-dynamic/

Ha ok looks like i missed it. Thats actually not part of the implementation yet

@sisko1990 please check: #37942 and #37940 for two issues reported here. Thanks.

That should also cover all issues reported here right? Could be that we have to force add the script-src directive when nothing has been done there manually right?

Looks to me that the two merged pr referenced by @zero-24 above have resolved this issue and there is nothing left to do here

Yes thanks.