Thanks @pmusaraj, I added some more checks to make sure we don’t serve invalid urls in the CSP, and also made sure theme-javascript URLs are excluded:
https://github.com/discourse/discourse/commit/f95609ae23ce1604b5f53c9d232e66895cfc9ee7
7 Likes