Camunda 7.18: documentation wrong for content security policy?


after updating to Camunda 7.18 (using spring boot) I read the documentation about the content security policy. It says:
" Where $NONCE is a placeholder that is replaced by a random generated secure string. This nonce can be then used to enable inline scripts in the index.html pages using another placeholder called $CSP_NONCE:

<script type="application/javascript" nonce="$CSP_NONCE">


If you have custom inline scripts defined, make sure to add the aforementioned nonce attribute to the script tag, otherwise they will be ignored by the browser."

Using this configuration inside index.html for tasklist web app, the following HTML wrong code is generated:

After changing the index.html like this it worked:
<script type="text/javascript" src="$APP_ROOT/app/tasklist/scripts/tabulator.min.js" $CSP_NONCE></script>

Is the documentation wrong or did I configure something wrong?