Add nonce to embedded script references. This should allow these scripts to execute with a nonce-.... content security policy (csp). However there is still a lot of inline javascript that a web developer needs to look at and rewrite the inline javascript (onsubmit, onclick ..) to be applied by a nonce authorized javascript library that adds event listeners. Ref: https://csp.withgoogle.com/docs/adopting-csp.html#refactor-inline-event-handlers-and-javascript-uris