Hello there. First of all thanks for releasing all the amazing new custom UI goodies to the community! One major roadblock for me to embed third party libraries (such as Google Charts) is the inability to set the style-src CSP policy. This has been addressed with the “Permissions” features for custom UI, however only script-src, connect-src, image-src and media-src so far have permissions. To make it really versatile the style-src CSP is missing. This way I will also not need to make use of unsafe-inline because I can use trusted resources.
Is this feature just forgotten or is there any major reason why stylesheets cannot be included via CSP? If this is just forgotten I assume creating corresponding code that does exactly the same as for script-src should be trivial. Can we expect any ETA on this?