I'm wary of #4, involving managing CSP dynamically. It feels like another moving part in an already complex ecosystem, another potential thing that could go wrong. Anyone else doing it the way shown there, unfounded concerns?
I get your point. There is certainly a spectrum here.
I can tell you (as the author) that for mission-critical assets with less 3rd party dependencies - I do see that most prefer to use the hard-coded or policy, or pull it via api per build in the CI/CD.
However for more dynamic websites (like blogs) that tend to have many 3rd party dependencies - It's very useful and effective to be able to update the policy with one click (or even automatically).
