Is there any published documentation on how to correctly implement CSP headers for a more or less standard Mediawiki install without breaking page formatting? For example some like
X-Content-Security-Policy: allow 'self'; img-src 'self' data:
I have found that enabling CSP headers on my site has led to various degrees of broken formatting.
Since CSP is intended to limit what’s being loaded to vetted/known sources, and since I almost certainly don’t know where everything in the extensions I’m using is coming from, I’m wondering if there is an established best practice for a minimally secure setting for this that doesn’t horribly mangle the appearance of the site.
In practice this is probably not a huge deal, but it does put a dent in the security metrics for the site when it’s scanned/audited.