diff --git a/lib/csp.js b/lib/csp.js
index 74404413c..fa2f95bb3 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -4,11 +4,22 @@ const { v4: uuidv4 } = require('uuid')
 const CspStrategy = {}
 
 const defaultDirectives = {
-  defaultSrc: ['\'self\''],
-  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],
-  imgSrc: ['*'],
-  styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
-  fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
+  defaultSrc: ['\'none\''],
+  baseUri: ['\'self\''],
+  connectSrc: ['\'self\''],
+  fontSrc: ['\'self\''],
+  frameSrc: ['https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
+  imgSrc: ['*'], // we allow using arbitrary images
+  scriptSrc: [
+    config.serverURL + '/build/',
+    config.serverURL + '/js/',
+    config.serverURL + '/config',
+    'https://gist.github.com/',
+    'https://vimeo.com/api/oembed.json',
+    'https://www.slideshare.net/api/oembed/2',
+    '\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes
+  ],
+  styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
   mediaSrc: ['*'],
   childSrc: ['*'],
@@ -43,9 +54,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
-  if (!areAllInlineScriptsAllowed(directives)) {
-    addInlineScriptExceptions(directives)
-  }
+  addInlineScriptExceptions(directives)
   addUpgradeUnsafeRequestsOptionTo(directives)
   addReportURI(directives)
   return directives