Looking for comprehensive content-security-policy guideline

Recently I was building a reusable places autocomplete module requireing to load script from googleapis.com. I quickly found that only for production iOS I need to add <meta http-equiv="Content-Security-Policy"> with proper content. While I have in my backlog to address CSP properly, this time I wanted to add minimum and start to think about it as was unable to found all the info I need…

  • what are particular equivalent CSP values when there is no <meta http-equiv="Content-Security-Policy">?
    eg for script-src is the default insecure-inline insecure-eval?

  • are there CSP equivalents of cordova whitelist plugin tags in config.xml?

  • if I want to introduce security - how to deal with inline and eval cases? are there any nonce/hash plugins available?

  • how to distinguish between development and production?

  • what should be default CSP values to start with bare ionic apps?

  • is the strict-dynamic supported? if so how it can be used?

  • should the Angular Meta service work to configure this dynamically? OR maybe some better ionic/capacitor/cordova plugin/module is missing to support management of access lists?

This is a good list, did you come up with a set of answers?