Remove nonce from CSP to allow unsafe-inline to work

Browsers ignore 'unsafe-inline' when a nonce is present. Reverting to
unsafe-inline only until all inline handlers are refactored.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

middleware/SecurityHeadersMiddleware.php

@@ -26,10 +26,12 @@ class SecurityHeadersMiddleware {
         $nonce = self::getNonce();
 
         // Content Security Policy - restricts where resources can be loaded from
-        // Nonces are used for <script> tags, but 'unsafe-inline' is needed for legacy onclick handlers
-        // TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener,
-        //       then remove 'unsafe-inline' from script-src for full CSP protection
-        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
+        // Currently using 'unsafe-inline' for scripts due to legacy onclick handlers throughout views
+        // NOTE: Nonce infrastructure exists (getNonce method, nonce attributes in views) but is not
+        // enforced in CSP until all inline handlers are refactored to use addEventListener.
+        // TODO: Complete refactoring of inline handlers, then change to:
+        //       script-src 'self' 'nonce-{$nonce}' (removing unsafe-inline)
+        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
 
         // Prevent clickjacking by disallowing framing
         header("X-Frame-Options: DENY");