Adding as useful link. regarding CSP.
I think there is nothing XWiki can do about that.
I agree that XWiki can't do it. As CSP either defined by Apache in
httpd.conf
Header set Content-Security-Policy-Report-Only "default-src 'self'; img-src *"
or in NGINX inside
server { }
block
add_header Content-Security-Policy "default-src 'self';";
We can close this issue as invalid and document an example in both pages:
