CSP is a technical solution to enforce privacy (and to a lesser extent) security standards. Technical measures should always be informed by political measures, and not the other way around.
There's various de-facto standards related to user scripts, and what is and is not acceptable to do in them. We should make these standards explicit
Issues at hand:
* When is it acceptable to load external non-script data (Current de-facto: With user consent, for non-default scripts only)
* When is it acceptable to load external scripts (Current de-facto: same as above, although I'd like to change it)
* Is it acceptable to load data from toolforge without user consent, or in default gadgets (Current de-facto: Mostly no, but this is often not enforced)
** A major sub-part of this is fonts from toolforge cdn
A secondary issue, might be, to what extent are scripts allowed to store user data/track users in cookies and whatnot (current de-facto: no rules as long as its not sent to an external party)
This needs to be discussed with various stake-holders