Further to PR#2575 (#2575) I understand work is still ongoing regarding the CSP. I would like to share mine which I have worked on and have been running for a few months now.
My CSP is as follows in the .toml file:
"Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
As mentioned above, I have been running this for a few months and without observed issues in the browser console. My settings are quite strict, but most scanners are happy with this (e.g. https://csp-evaluator.withgoogle.com/)
Feel free to disregard this if work is almost finalised or if my settings are of no use. Merely opening and posting in case it might help save some development time.