Are we forced to use 'unsafe-inline' in our CSP when using Vue.JS?

According to the Vue.js docs, the runtime build is fully CSP-compliant.

Nuxt is supporting a csp config to create hashes via webpack sent as header on dynamic SSR mode and meta elements otherwise (see https://github.com/nuxt/nuxt.js/pull/5354)

you could use the --no-unsafe-inline option in your npm run build script

https://cli.vuejs.org/guide/cli-service.html#vue-cli-service-build

Not sure if this is better as a comment or not but it kinda works so putting it here for now.

Our deployment strategy might be a bit different, but essentially we trigger a lambda to update the cloudfront csp with our CI/CD.

We noted that the inline scripting was static despite different app versions/bumps. Our current workaround is:

1. Deploy on a dev server - get the sha256 hash from the chrome dev tools (you could probably calculate it yourself to avoid deploying)
2. Updated our terraform cloudfront lambda CSP with the hash
3. On the new deploy the hash matches and we don't need unsafe-inline

Some big limitations re: if nuxt changes the inline script on new versions we'll have to manually update our hash in the CSP. Also, depending on your styling framework there may be a number of inline-styles which aren't captured here.