I've been spending a bit of time helping out a client who's working through an upgrade project recently, and the work to move from v9.1 to v9.3 raised an interesting issue I wasn't aware of. So in the spirit of making life easier for others, here's what happened:
Ages ago I wrote up a bit about how your public sites should consider implementing Content Security Policy because of all the hacks it can prevent. In a bit of frustrating irony, I was tripped up by a problem caused precisely because Sitecore have added some CSP headers to their own code. Google came up empty on this, so I'm documenting it for the next person who gets bitten.