Preconditions

Magento Version : CE 2.4.7

ElasticSuite Version : 2.11.6.1

Environment : Developer

Third party modules : many

Steps to reproduce

1. Open the frontend of the shop, put a product in your cart
2. Open the javascript console
3. Go to checkout

Expected result

1. No errors that have to do with Content Security Policy (CSP)

Actual result

1. Seeing 2 errors:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src ...

One comes from this script: https://github.com/Smile-SA/elasticsuite/blob/2.11.6.1/src/module-elasticsuite-tracker/view/frontend/templates/config.phtml
The other from this script: https://github.com/Smile-SA/elasticsuite/blob/2.11.6.1/src/module-elasticsuite-tracker/view/frontend/templates/variables/page.phtml

Maybe other scripts are also affected, I haven't checked everything.

More details

Explanation (quoted from Adobe documentation):

In Adobe Commerce and Magento Open Source version 2.4.7 and later, CSP is configured in restrict-mode by default for payment pages in the storefront and admin areas, and in report-only mode for all other pages. The corresponding CSP header does not contain the unsafe-inline keyword inside the script-src directive for payment pages. Also, only whitelisted inline scripts are allowed.

Adobe recommends to fix this using the SecureHtmlRenderer View Helper so a nonce is set to the script tag: https://developer.adobe.com/commerce/php/development/security/content-security-policies/#whitelist-an-inline-script-or-style