content-security-policy: upgrade-insecure-requests; default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; connect-src 'self'; form-action 'self'; img-src * data:; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; font-src * data:; object-src *; media-src *; frame-src *;
cusdis does not show at all due to its usage of fetch():
same for goatconter's javascript widget. see the console.
via htmlcommentbox. while it shows, commenting is broken due to its usage of form