TIL: Our current mobile script injection technique violates some CSPs!

I just got off a call with a team that currently can't use MetaMask because their page's CSP refuses to interact with an inline script.

It would help them if we also allowed connecting via a non-injected provider. Maybe we should set up detect-provider to bring its own inpage-provider, so it allows side-stepping this issue.

I'm reaching out to them to see what CSP this might be, I think a safely strict testing csp might be script-src: 'none'.