Thanks. Ideally we would have selfoss send the CSP headers by default but I have not gotten around to considering all the implications yet. We are tracking this in https://github.com/fossar/selfoss/issues/891.

Main issue I see is that, we load images from the original sites (except for the thumbnails, which selfoss caches) by default so image-src 'self' will prevent them from loading. But it can be fine if you mostly read articles on the original sites, rather than directly in selfoss.

Also object-src can probably be removed (so it defaults to none).