Each path below is served by Cloudflare Pages with a different Content-Security-Policy response header. Open each one to run live resource-loading probes and see exactly what the policy blocks.
Broad default-src 'self' https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'. Almost everything over HTTPS is allowed.
Locked-down default-src 'none' with explicit per-directive allowlists (script-src, connect-src, frame-src, media-src, …).