The key is “right theme”. I don’t think there is any theme that currently complies. One could be built, but building a good theme is non-trivial.

Compliance is largely theme dependent, though WP core is partly responsible for headers sent.

I didn’t know what CSP was, but I just read https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and I don’t see how CSP relates to a theme at all. Themes don’t have anything to do with the headers sent. The themes in the repository must bundle all resources used also, so there is nothing in the theme that is from external sites (exception being Google Fonts).

Curiously, CSP is at odds with Google’s push for mobile-centric fast page loads where inlining is encouraged.

Themes outside the repository, which is a big business sadly, also do whatever they want.

What I don’t understand is: why core-emoji/theme/plugin developers need to insert their JS that way?

And: is it possible to replace something like this?

<script type='text/javascript'>
/* <![CDATA[ */
var wp = {"apiSettings":{"root":"https:\/\/www.example.com\/wp-json\/x-x-7\/v1","namespace":"x-x-7\/v1"},"recaptcha":{"messages":{"empty":"Please verify that you are not a robot."}}};
/* ]]> */
</>

Maybe the whole problem could be solved at the core level, with WP automatically providing CSP hashes/nonces for every unsafe script.

Secondly I would like to join islp last question about the script:
A similar or same (newbie) pops up on my index.html and it would be no great problem if I could just hash it, but for some reason it just keeps changing the hash. I already asked Stackoverflow if this is to be expected, but if somebody here has an answer, I’d be glad to hear it.

Best Regards

Please, read here:
https://developers.google.com/web/fundamentals/security/csp/

(after “If you absolutely must use it …”)

thanks – I just had to let go of a paid theme that did