edit remember that the support of 1.1 is relatively low and incomplete as the webappsec group is voting on whether moving it to WD (working draft or not). So for cross-browser compatibility, you are still better off with 1.0 which is at this point very stable in major browsers.
Yes. You may. http://www.w3.org/TR/CSP/#source-list See the host ABNF grammar.
while it looks great, usually its very difficult to integrate this header, without breaking existing JS functionalit
I haven't read much about 1.1 but as far as I know nounce and hash added to 1.1 is to deal with whitelisting inline scripts.
Please see http://w3c.github.io/webappsec/specs/content-security-policy...
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=855326
https://bugs.webkit.org/show_bug.cgi?id=89577
http://lists.w3.org/Archives/Public/public-webappsec/2013Jun...
Also, if you are interested in client-side security, Mike West (from Google, one of the editors of CSP) has given a talk recently. http://www.parleys.com/play/529bee0be4b039ad2298ca0b
edit remember that the support of 1.1 is relatively low and incomplete as the webappsec group is voting on whether moving it to WD (working draft or not). So for cross-browser compatibility, you are still better off with 1.0 which is at this point very stable in major browsers.