TIL: Our current mobile script injection technique violates some CSPs!
I just got off a call with a team that currently can't use MetaMask because their page's CSP refuses to interact with an inline script.
It would help them if we also allowed connecting via a non-injected provider. Maybe we should set up detect-provider to bring its own inpage-provider, so it allows side-stepping this issue.
I'm reaching out to them to see what CSP this might be, I think a safely strict testing csp might be