Content-Security-Policy is one of those headers that sits quietly in the "we should really do this properly" pile until a security review forces the issue. Then you sit down, open the devtools console, and spend a week clicking around your own app. I did this often enough that