Since all topics on CSP have been closed due to inactivity, I thought it might to post a working csp config as a reference for others. The policy is the red text. the whole code piece is the line that can be copied 1:1 for nginx configurations:
add_header Content-Security-Policy "default-src 'self'; require-trusted-types-for 'script'; script-src 'self' https://app.plex.tv/desktop https://assets.plex.tv/deploys/desktop/; style-src 'self' https://app.plex.tv https://assets.plex.tv; object-src 'none'; base-uri 'self'; connect-src 'self' https://assets.plex.tv https://metadata.provider.plex.tv https://news.provider.plex.tv https://plex.tv https://podcasts.provider.plex.tv https://transcoder.plex.tv https://vod.provider.plex.tv https://webshows.provider.plex.tv wss: wss://pubsub.plex.tv; font-src 'self'; frame-src 'self'; img-src 'self' blob: data: https://assets.plex.tv https://provider-static.plex.tv; manifest-src 'self'; media-src 'self'; worker-src 'none';" always;
This can for sure be improved but at least it is an improvement over no policy. (Help much appreaciated)
