The option you describe (putting the web content on the web server) is in fact, the correct approach to take.  Mixing HTML/CSS/JS/IMG/ICO/WOFF etc into DATA STEP and PROC STREAM is a very hacky / hard to maintain & extend way to build (non trivial) web apps.

The option you are probably looking for, would be to modify the CSP policy in the web server directly.  You cannot change CSP policy from SAS code, nor from the content (or headers) of the WEBOUT destination.

More info here:  https://sasjs.io/security/#content-security-policy

I agree in principle that using DATA STEP and PROC STREAM is a kind of a hack.
On my development system I have access to the sas.conf file, and to the .../htdocs folder. But the idea behind this application is that it can be imported and set up by SAS developers, and in a production system they usually do not have access to those locations. They usually are under control by quite different organisational units, sometimes not really knowing anything about SAS and SAS applications.
So that is why I am looking for ways to avoid that.

(I confess I can see that those other organisational units might consider streaming that kind of code from SAS a security risk...)
But it should be possible to download the Bootstrap and jQuery code, and stream it to _webout.

actually, there is a way you can still keep your web app contained in your SAS code, and stream everything through WEBOUT, and comply with CSP

We manage it with Data Controller - one SAS program (demostream_sas9.sas) deploys the entire app:  https://git.datacontroller.io/dc/dc/releases

An overview of the technique is described here: http://sasapps.io/sas-streamed-apps