Implement a Content Security Policy #61
Description
CSP Generator came up with this:
default-src 'self';
script-src 'self';
style-src 'self' http://fonts.googleapis.com;
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self';
frame-src 'self' https://www.youtube.com;
img-src 'self' https://play-lh.googleusercontent.com https://user-images.githubusercontent.com;
manifest-src 'self';
media-src 'self';
worker-src 'none';
Maybe it's good enough?