Content Security Policy, is it impossible?!

[jamilnielsen]

so my server works fine, i just did a security update and the only security header i have an issue attempting in any capacity is Content Security Policy.

Raspberry pi 5-docker-traefik(reverse proxy)-header changes-authelia(secure login)-foundryvtt

  - FOUNDRY_COMPRESS_WEBSOCKET=true
  - CONTAINER_CACHE=/data/container_cache
  - CONTAINER_CACHE_SIZE=4
  - CONTAINER_PRESERVE_CONFIG=true
  - TIMEZONE=GMT

as for the Content Security Policy, here's an example of what it might look like.
default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'
but to get scripts working i need either tons of hash codes, or 'unsafe-inline' as well as 'unsafe-eval'.
connect needed a data: exception
style needed 'unsafe-inline'
and fonts also throw an error, falling back on defaults.
the list is long and i gotta wonder, surely im doing it wrong, or is FoundryVTT just this way?

what setting do you folks use?

PS: if we could get support for "user:" (for improved security that would be nice)