CSP was build to fight web vulnerabilities like Cross-Site Scripting (XSS). Why ‘unsafe-inline’ in CSP a bad idea?