Compatibility Issue with CSP Due to Onload Attribute in Responsive Images

[GonrasK]

In addition to laravel-medialibrary I'm utilizing the spatie/laravel-csp package and adhering to a strict CSP configuration. The issue arises with the responsive images feature of the media library. The generated tags include an onload attribute containing inline JavaScript, which conflicts with my CSP settings -

$ curl -I https://mydomain.com
HTTP/2 200 
date: Wed, 29 Nov 2023 17:57:06 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-cache, private
content-security-policy: base-uri 'self';connect-src 'self';default-src 'self';form-action 'self';img-src 'self';media-src 'self';object-src 'none';script-src 'self' 'unsafe-inline' 'nonce-1j6D7g7APhvTpPalGtMjj9sCuffDyo5t';style-src 'self' 'unsafe-inline'

The browser refuses to execute the inline script in the onload attribute, leading to CSP violation reports -

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-67KaA7Fb3jdS9gqASwfUPPN8VaURL7Bp'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list

Ideally, I would like to avoid using 'unsafe-inline' in the script directive for security reasons.
Here's an example of an <img> tag generated by the media library:

<img alt="..." srcset="https://mydomain.com/storage/93/responsive-images/01HG9600282B0PW3MJGKG7___media_library_original_125_143.webp 125w, data:image/svg+xml;base64,PCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0...= 32w" onload="window.requestAnimationFrame(function(){if(!(size=getBoundingClientRect().width))return;onload=null;sizes=Math.ceil(size/window.innerWidth*100)+'vw';});" sizes="1px" src="https://mydomain.com/storage/93/01HG9600282B0PW3MJGKG7.webp" width="125" height="143">

Could you please advise on a possible solution or workaround for this issue? Are there any configurations within the media library that I can leverage to either modify or remove the inline onload handler, or to make it compatible with a strict CSP implementation?

[Perzonallica]

Has anyone managed to solve this problem?