presence of unsafe- directive in content security policy header. How do we remove that.

[jaysara]

The question
With our use of modernizr 2.6.2 version we have detected a security vulnerability pointing to presence of unsafe- directive in content security policy header.

As per the standards and compliant with CSP, ‘unsafe-‘ prefix directives should be removed from Content Security Policy header configuration. To meet the compliance with CSP we tried to remove the ‘unsafe-‘ prefix directives (‘unsafe-inline’ and ‘unsafe-eval’), it creates an issue rendering the Modernizr scripts/styles in application.

Remediation Step Followed:
Followed the remediation steps of adding a ‘nonce’ and ‘hash’ techniques, but we were failed to add or insert the nonce/hash to the Modernizr

Modernizr has the inline css

a.yepnope.injectCss = function(a, c, d, e, g, i) { var e = b.createElement("link"), j, c = i ? h : c || f; e.href = a, e.rel = "stylesheet", e.type = "text/css"; for (j in d) e.setAttribute(j, d[j]); g || (n.parentNode.insertBefore(e, n), m(c, 0)) } }(this, document), Modernizr.load = function()

Content Security Policy header has the ‘unsafe-’ prefix directive:

     ```
 Content-Security-Policy:

default-src 'self' stats.g.doubleclick.net *.google-analytics.com *.googletagmanager.com *.transunion.com; style-src 'self' *.google-analytics.com *.googletagmanager.com *.transunion.com 'unsafe-inline'; font-src

Following is the version info of Modernizr we are using Modernizr 2.6.2 (Custom Build) | MIT & BSD
Can you please help us with any settings that we can do in the Modernizr to remove this header from appearing.