unsafe-inline Content Security Policy (CSP) keyword allows the execution of inline scripts or styles."
If you add
unsafe-inline keyword to your policy, attacker can try something like this.
For more information:
The meaning of
unsafe-inline is a little different for us.