How can Spring sso work without using unsafe-inline?

Question

The Spring sso class Saml2WebSsoAuthenticationRequestFilter creates a hard-coded html page with an inline javascript redirect.

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-oZhLbc2kO8b8oaYLrUc7uye1MgVKMyLtPqWR4WtKF+c='">
        <meta charset="utf-8" />
    </head>
    <body>
        <noscript>
            <p>
                <strong>Note:</strong> Since your browser does not support JavaScript,
                you must press the Continue button once to proceed.
            </p>
        </noscript>
        <form action="{authenticationRequestUri} method="post">
            <div>
                <input type="hidden" name="SAMLRequest" value="{HtmlUtils.htmlEscape(samlRequest)}"/>
                <input type="hidden" name="RelayState" value="{HtmlUtils.htmlEscape(relayState)}"/>
            </div>
            <noscript>
                <div>
                    <input type="submit" value="Continue"/>
                </div>
            </noscript>
        </form>
        <script>window.onload = function() { document.forms[0].submit(); }</script>
    </body>
</html>

I add a content security policy at the web server level, which does not include unsafe-inline. Web browsers won't allow the redirect to run because of this unsafe inline policy.

Is there a way that this javascript redirect is expected to work with a global csp policy? Do I need to add the hash to the global policy, or override the Saml2WebSsoAuthenticationRequestFilter class and replace the html?

Here's a link to the issue where the csp hash was added to the html: https://github.com/spring-projects/spring-security/issues/11676