In my experience, the header below, when enabled, blocks inline script on the page.
Content-Security-Policy: default-src 'self'.
Why is inline code not considered "self"?
I know I can use nonce or other work arounds to allow inline, or move to external files. I'm just interested to know why inline code isn't considered self.
Hope that makes sense
By default inline code is disabled, not just because of default-src 'self'. To enabled inline code one has to use unsafe-inline in script-src