A reasonable CSP (Content Security Policy) for shiny applications

I want to keep my shiny applications secure and reduce the risk of cross-site-scripting, and other code injection attacks.

I understand that defining a strict CSP can mitigate such risks; however, it also breaks the functionality of shiny.
I tried using a CSP header of script-src 'self';but it breaks shiny's functionality. Using script-src 'self' 'unsafe-inline' 'unsafe-eval'; works, but from what I read, I presume it is too vulnerable.

What would be a reasonable CSP that actually works?

I'm using shiny server (open source) v1.5.12.933, and Nginx/1.14.0.

I'm having the same issue. Does anyone have an answer to this question ?

I was just at the posit::conf and completely forgot to ask this. @winston do you have an idea who can help with this?