Is there a way that Autooptimize could insert a script/css 'nonce' in the script/style tag, that way I could allow scripts and css with that nonce while disallowing all others (and abandoning 'unsafe-inline').
Autooptimize is the perfect place for this feature because it already can strip all inline code, it's just missing a function to either generate a script/css hash and modifying the csp header or alternatively just adding the tag required above.
That would certainly be possible, but AO does not do that (yet). If you feel like contributing, go for it, I'll be happy to guide you in the rigth direction! :-)
I'd love to if I can find some spare time in November
I would go for hashes rather then nonce's, as this would -if I understand correctly- not require AO to inject different CSP-headers for different JS/CSS files, you just need to add a CSP header stating the hash is to be checked, right?