CSP WordPress

still painfull but in the end its not working well

Content-Security-Policy HTTP response header helps to reduce XSS risks on modern browsers by declaring, which dynamic resources they are allowed to load.
The Content-Security-Policy header allows to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

What types of attacks does Content-Security-Policy help reduce?
Content-Security-Policy was first designed to reduce the attack surface of Cross Site Scripting (XSS) attacks and further on also to protect against other forms of attack such as Click Jacking.

Referring to Recital 83 GDPR, Security of Processing GDPR, when you touch personal data processing there is no way out of
trying everything to set security up to state of the art. Of Course always taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
Always have a look at GDPR Art5.1.f, Art25, Art32.2 too.

So a guess out in the wild, WordPress will still be used and serving content with script-src ‘unsafe-inline’ and ‘unsafe-eval’ till someone is gonna fix this without breaking that whole CMS.