This Date script won’t run when the page loads because it violates the CSP at top (it worked before adding the CSP). Yet it surely isn’t inline JS, is it? Why would it not run? (This page is “company1.”)
You seem to have an incomplete or incorrect idea about what CSP is. I think it might help to read up some more on what CSP actually is and what it’s for.
Yes, it is.
If you want to allow this bit of JS you can do three things
Put it in a separate .js file and include it using <script src="some-file.js" />
Add nonce="{{ some random value }}" to the <script> tag (e.g. <script nonce="jhdgsd8asA">) and then add that same nonce to the CSP: script-src nonce-jhdgsd8asA
Add unsafe-inline to the script-src part of CSP (NOT recommended, defeats the purpose of CSP)
The point of the CSP is that you explicitly state which domains your site is allowed to download stuff from. So if you want to show an image that is hosted on www.companyname.com then you need to have www.companyname.com in the img-src of your CSP.
PS. Don’t choose 3, it’s a bad option. Did I mention it’s not recommended?
I spent half a day yesterday reading all about SCP. However, I failed to follow through on the nonce aspect to grasp it’s implications. I followed #1 for some scripts. Yes, #3 is BAD.