Hey @michaeld, I’ve merged in a fix onto the latest main with FIX: invalid CSP directive sources should allow site to boot with valid CSP directives by tyb-talks · Pull Request #31256 · discourse/discourse · GitHub. This is also available in tests-passed and stable now.
This change in behaviour in handling CSP directives stemmed from a backported security patch in Rails - I touch on this in more detail in the PR. 
Discourse will now filter out such values before building the CSP.
Regarding Safe mode, as it only disables the JavaScript side of things, it wouldn’t have helped here since this data is processed server-side.