Security: remove inline CSS and inline fonts using data: URL

[TobiasKrais]

Currently I need to add additional rules for my Content-Security-Policy because of aieditor:
Content-Security-Policy: default-src 'self'; font-src 'self' data:; style-src 'self' 'unsafe-inline'

Content-Security-Policy: default-src 'self' does not work, because woff file and inline CSS is included in JS. Please fix this security issue. Please move inline CSS to CSS file and inline font to extrenal font file