Echoing this other post: https://community.esri.com/t5/arcgis-javascript-maps-sdk-ideas/remove-styleapplyer-to-meet-content-s...
The documentation here suggests that only script-src: 'wasm-unsafe-eval' and worker-src: blob: are required for the maps sdk to work: https://developers.arcgis.com/javascript/latest/faq/#does-the-prod_name_long-support-all-content-sec...
However, in practice we find that if we set style-src without 'unsafe-inline', SceneViews do not work.
See a minimal repro in this sandbox: https://codesandbox.io/p/sandbox/arcgis-csp-repro-4ndd2z
It isn't configured correctly so the auto starting task crashes, but you can run it with the following steps:
- Open a new terminal
- npm install
- npm run dev
- Pop out the preview in a new window
Note that the scene seems to load but a bunch of things don't work properly within the SceneView
