I spent some time over the last week working up a safe Content Security Policy for this website. As part of the testing, I've been running the mozilla/csp-logger under the domain to receive CSP error reports. Those seem to have fallen off to being only situations where content is being injected into the page, so I've flipped the switch to enable CSP in production.

Please let me know on Twitter if you run into any issues on the site. Thanks!