100% agree. If Google is serious about CSP, show me where they document the CSP that doesn't break AdSense or Analytics. It's a moving target, AFAICT, and the reason why I don't use CTP in production (at work).
The idea behind CSP based on nonces (as opposed to the "old" approach of using whitelists) is that you add the valid nonce token only to the script directly sourced from your page, and trust propagates to other scripts loaded dynamically by the "loader" script. This way you no longer have to care about what domains the widget uses -- if you trust the initial script, give it a nonce and it will execute, along with the subresources it needs.
Of course you can still have a domain whitelist or use Subresource Integrity if you're loading scripts from potentially untrusted infrastructure. But the nonce-based approach is meant precisely to avoid the "moving target" problem you mentioned.
That's a very Google idea, and it's a bad one. Malware distributed through Google's ad system has been an ongoing problem.[1][2] Letting Google's advertiser customers inherit Google's trust is a terrible idea.
Google needs to put all their ads in IFRAME sandboxes. Tightening up on what an IFRAME can do wouldn't be a bad idea, either. No popups, no self-starting video, no absolute positioning outside the clipping pane, no expanding the frame size...
The idea behind CSP based on nonces (as opposed to the "old" approach of using whitelists) is that you add the valid nonce token only to the script directly sourced from your page, and trust propagates to other scripts loaded dynamically by the "loader" script. This way you no longer have to care about what domains the widget uses -- if you trust the initial script, give it a nonce and it will execute, along with the subresources it needs.
Of course you can still have a domain whitelist or use Subresource Integrity if you're loading scripts from potentially untrusted infrastructure. But the nonce-based approach is meant precisely to avoid the "moving target" problem you mentioned.