This is about wikimedia/slimapp.
Although AbstractApp::configureHeaderMiddleware() can easily be overridden by a prooject using it, I'd like to suggest a small modification to the Content Security Policy header as it's defined in Slimapp:
This would make it possible to use files from e.g. //tools-static.wmflabs.org/cdnjs
The change is just to add *.wmflabs.org to some items in the Content-Security-Policy header:
default-src 'self' *.wmflabs.org; style-src 'self' 'unsafe-inline' *.wmflabs.org;
I'm not sure what other ramifications this might have though, so I thought I'd ask here. :-)