Steps to reproduce the issue

• Joomla 4.1.3. Core template. Firefox 100.0.
• Configure plugin "Http Headers" > "Content-Security-Policy (CSP)"
• Client: Site
• Nonce: Yes
• Add a "Policy Directive" for "Client: Site"

script-src: {nonce} 'self' 'unsafe-inline'

• Create a frontend menu item of type "Category List" for a article category with some articles.
• Activate some table headers to have possibility to order table columns.
• Open menu item in frontend with Firefox.
• See browser inspector. Error message that Inline scripts are blocked.

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src"). 4 category-list

• Try to order table columns by clicking on table headers. Fails.

Reason

Inline Javascript (onclick)

<th scope="col" id="categorylist_header_title">
 <a href="#" 

onclick="Joomla.tableOrdering('a.title','asc','', document.getElementById('adminForm'));return false;"

class="hasPopover" title="" data-bs-content="Select to sort by this column" data-bs-placement="top" data-bs-original-title="Title">Title</a></th>

If Nonces are activated modern browsers ignore the rule 'unsafe-inline'.

Result

We can't use the HTTP Header plugin with Nonces activated.

The inline scripts should be replaced by a document->addScriptDeclaration or similar. Then it will get a nonce.