Current CSPs rely on allow-listing domains which is difficult to secure, and vulnerable to attackers bypassing the CSP.

As an example, it is currently impossible to implement Google Tag Manager without compromising an Outsystems Content Security Policy, as it requires both the unsafe-inline directive. It also requires allow-listing the www.googletabmanager.com domain which is found to host JSONP endpoints, which also can be used to bypass the CSP.

See: https://csp-evaluator.withgoogle.com/ for a report

The recommended approach is to use server generated nonce tokens in the CSP, and also in the scripts that are allowed to load. These scripts are considered trusted and may in-turn safely load script from other, cross domain sources.

For tag manager, a recommended setup is here https://developers.google.com/tag-platform/security/guides/csp

My suggestion is for Outsystems to support generation of nonces in the CSP headers returned to the client, and allow the front end to load a developer defined script with the same nonce tag. From there we could load any other cross domain resources without needing to weaken the CSP.

For more information, see https://web.dev/articles/strict-csp