Comment #739

CSP not mentioned sadly.. Btw you dont have great csp it includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src. You can test in on mozilla observatory.