I've re-enabled the Content Security Policy header to tighten the site's security. Note that this is a technical article.
I have gone re-enabled and tightened the Content Security Policy (CSP) header for the site and have gone through the entire site and evaluated every external source it is loading content from to update the CSP header.
Inline JavaScript isn't allowed anymore, that was our biggest concern. Inline JavaScript must now have a nonce (hash) or it won't load. This is a last line of defense in case someone managed to get a <script> tag rendered, though that shouldn't actually be the case anywhere.
Disqus is working, and so is the calendar page. The only thing that I'm not really a fan of anymore is Disqus and tracking cookies, but we always needed Disqus to fight blog comment spam. What is interesting is Google is rolling out blocking of third party tracking cookies worldwide but in stages and apart from Disqus we are well ahead of that move.
That likely means we'll have to update the Disqus code in the near future, I'll definitely be monitoring that one. Disqus is directly affected by Google's blocking of third party tracking cookies, which will be interesting to see what will happen there.