The attached example demonstrates which CSP errors reported in the browser console.
(when the header: "Content-Security-Policy" is used the browser will stop the page execution on the first error). Using the report-only mode allows convenient discovery of recurring policy violations.

<?header name="Content-Security-Policy-Report-Only"
		value="
		default-src 'none';
		script-src 'self';
		connect-src 'self';
		img-src 'self';
		style-src 'self';
		font-src 'self'"?>
<zk>
	<div>
		Your Name: <textbox id="name" onOK='response.setValue("Hi, " + self.getValue());'/>
		<button label="Send" onClick='response.setValue("Hi, " + name.getValue());'/>
		<separator/>
		<label id="response"/>
		<separator/>
		<button label="Upload" upload="true" onUpload="Clients.showNotification(event.getMedia().getName());"/>
		<button label="Download" onClick='Filedownload.save("content", "text/plain", "test.txt");'/>
	</div>
</zk>

The example uses the Starter Policy . Resulting in reported violations.

To avoid all those errors the policies would need to be loosened like that:

default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
frame-src 'self';
connect-src 'self' ws://your.server.name:8080/;
img-src 'self';
style-src 'self' 'unsafe-inline';
font-src 'self'

The websocket exception is optional and might not be necessessary for HTTPS/WSS connections (to be tested)

Attached a custom PageRenderer and AuExtension which allows removing the script-src 'unsafe-inline' policy.

iframe-src is currently needed for upload and download

style-src is triggered mostly by setting the innerHTML property of a dom node (a performance/security trade-off could be to parse html before adding it to the DOM)

script-src 'unsafe-eval' is the most tricky part triggered by almost any AU response when evaluating the returned JSON like JS object,
other places might be addressed in a simpler way