The app's CSP is: "csp": "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
CSP should also require trusted types for scripts to lock down DOM XSS injection sinks by adding require-trusted-types-for 'script' to the policy.