After viewing a spirited discussion on Twitter focused on “developer-kids these days” not knowing how to use the <link> tag in HTML, and that subsequently making them “not belong in the craft", I thought I’d extend my tutelage to you poor souls.
It would prevent against rogue ajax POSTs as well.
connect-src directive protects against any scripted connection. That includes things like
XMLHttpRequest (regardless of method) and also the lesser-thought-of things like