The attached example demonstrates which CSP errors reported in the browser console.
(when the header: "Content-Security-Policy" is used the browser will stop the page execution on the first error). Using the report-only mode allows convenient discovery of recurring policy violations.
The example uses the Starter Policy . Resulting in reported violations.
To avoid all those errors the policies would need to be loosened like that:
script-src 'self' 'unsafe-inline' 'unsafe-eval';
connect-src 'self' ws://your.server.name:8080/;
style-src 'self' 'unsafe-inline';
The websocket exception is optional and might not be necessessary for HTTPS/WSS connections (to be tested)
Attached a custom PageRenderer and AuExtension which allows removing the script-src 'unsafe-inline' policy.
iframe-src is currently needed for upload and download
style-src is triggered mostly by setting the innerHTML property of a dom node (a performance/security trade-off could be to parse html before adding it to the DOM)
script-src 'unsafe-eval' is the most tricky part triggered by almost any AU response when evaluating the returned JSON like JS object,
other places might be addressed in a simpler way