Remove `http:` or at least let user decide what to set for backward compatibility

[d4rklynk]

I use a hugo template with a lot of inline scripts, but they are local. I added my custom analytics domain in the form of "https://example.com".

Before I install this plugin, my CSP was script-src 'self' 'unsafe-inline' https://example.com.

Now, it is way better for browser with csp3, but the backward compatiblity is worse than my previous policy (because it add http:, https: and unsafe-inline)

Current policy with csp plugin:

script-src 'nonce-xxxxxx' 'strict-dynamic' 'unsafe-inline' 'self' https: http:;

I would really like to have script-src 'nonce-xxxxxx' 'strict-dynamic' only because I really don't need backward compatibility.

Thanks a lot in advance.

[jasonbarry]

Thanks for explaining your use case @d4rklynk, I tend to agree! The user should be able to supply the fallbacks on their own without us assuming directives.

[ryangittings]

+1 on this.

[delpiersos]

+1 on this.