A rather strict CSP policy should be fine since the frontend is quite simple (basically one big JS bundle and another big CSS file), so we can safely block most things that could result in XSS
A rather strict CSP policy should be fine since the frontend is quite simple (basically one big JS bundle and another big CSS file), so we can safely block most things that could result in XSS