Problems with Content Security Policy

[pensivedog]

I'm using the Hugo Hyas starter kit and trying to get Decap CMS to work with builds on Netlify and authentication with Netilfy Identity. The CMS works fine locally using npx decap-server but fails in production due CSP violations. Problems with script-src, style-src, and img-source. The only way I was able to get it to work was by commenting out the entire CSP, so my netlify.toml file now looks like this:

# Custom headers — https://docs.netlify.com/routing/headers/#syntax-for-the-netlify-configuration-file
[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    X-XSS-Protection = "1; mode=block"
#    Content-Security-Policy = "default-src 'self'; manifest-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self'"
    X-Frame-Options = "SAMEORIGIN"
    Referrer-Policy = "strict-origin"
    Feature-Policy = "geolocation 'self'"
    Cache-Control= '''
    public,
    max-age=31536000'''
    Access-Control-Allow-Origin = "*"

Is this leaving my site vulnerable?

There's an old, still-open issue here about this, but I wasn't able to figure out any other actionable approach from it.

Has anyone else encountered and solved this?