For any paths which are not expected to be loaded as the main browser document, any CSP header served should lock down 100%.
Confirm if there are paths which are expected to be loaded as the main browser document (e.g. #1478, potentially other OIDC paths).
I think this is OK:
/oidc/callback has special handling/oidc/login should always send a redirect rather than rendering content
For any paths which are not expected to be loaded as the main browser document, any CSP header served should lock down 100%.
Confirm if there are paths which are expected to be loaded as the main browser document (e.g. #1478, potentially other OIDC paths).I think this is OK:
/oidc/callbackhas special handling/oidc/loginshould always send a redirect rather than rendering content