content: Required Content-Security-Policy headers needed to not break the application

[ijsje71]

URL

https://capacitorjs.com/docs/guides/security#web-view-security

Issue Description

For additional protection against XSS attacks, I want to add Content-Security-Policy headers in my Ionic React application. I am, however, unable to figure out what Content-Security-Policies are required for the application to not break. The URL that I posted in this issue tells us to add a default-src 'self' tag, but when this tag is applied in a PWA, it breaks the larger part of the application. Components such as the search bar are no longer correctly displayed and the browser console shows some sources that cannot be loaded because of this 'self' tag. Even if I follow these instructions, I am not able to correctly include the different types of sources required in the Content-Security-Policies header for the application to completely work. Especially the style-src & the script-src tags need a configuration which is hard to figure out.

I believe it would be best to document some of the required Content-Security-Policy headers somewhere in the Ionic docs, so that people who want to secure their application further, can do this. I would assume that the answer to include all the inline script executions in the Content-Security-Policy headers is something that can be used on all Ionic React applications. This is why I think it would be best that it is documented somewhere.