Hey Jose,
I ended up finding a thread about CSP and internal settings on Github, so I joined to participate. I had returned my htaccess to the original Joomla version, and the two CSP checking sites both still showed the 2 unsafe inline entries, along with an X-frame entry. I asked them where they had this hidden in Joomla, since I had disabled yours. They did provide me a plugin for Joomla 3.X, but they are integrating that with Joomla 4, and didn't like me suggesting they had hidden it in code, so they closed the thread.
Here are my settings:
## Begin Securitycheck Pro Xframe-options protection
## Don't allow any pages to be framed - Defends against CSRF
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN
</IfModule>
## End Securitycheck Pro Xframe-options protection
## Begin Securitycheck Pro Prevent mime based attacks
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
## End Securitycheck Pro Prevent mime based attacks
## Begin Securitycheck Pro Strict Transport Security
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
## End Securitycheck Pro Strict Transport Security
## Begin Securitycheck Pro X-Xss-Protection
<IfModule mod_headers.c>
Header set X-Xss-Protection "1; mode=block"
</IfModule>
## End Securitycheck Pro X-Xss-Protection
## Begin Securitycheck Pro Content-Security-Policy protection
#<IfModule mod_headers.c>
#Header set Content-Security-Policy "default-src 'self' corporateone.ca; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';"
#</IfModule>
## End Securitycheck Pro Content-Security-Policy protection
## Begin Securitycheck Pro Referrer policy protection
<IfModule mod_headers.c>
Header set Referrer-Policy "strict-origin"
</IfModule>
## End Securitycheck Pro Referrer policy protection
## Begin Securitycheck Pro Feature policy protection
<IfModule mod_headers.c>
Header set Feature-Policy "push 'self'"
</IfModule>
## End Securitycheck Pro Referrer policy protection
You can see that I have commented out my content-security-policy settings so that my admin buttons work.
content-security-policy.com/
If you enter corporateone.ca in here, you will see the duplicate entries for X-frame, but it probably won't complain about duplicate CSP entries since I have had to disable mine. This same site, or one of the other reference sites suggest the inline statements as being poor entries.
Louis