Write your Content-Security-Policy header in JavaScript, so you can have validation and automatic hashes.