Security headrs: XSS-Protection, nosniff, referrer policy, CSP
(unsafe-* in development, to deal with dev server)
Opting out of Google's FLoC
Set theme color meta (unset is black)
Styled <noscript> to look a little nicer and included instructions on
how to enable JavaScript.
Throw error if root element to mount the application is missing
Use locally-fetched HLS.js instead of the runtime script injection of
the ReactPlayer (TODO: remove this component entirely; logged a bug
with the upstream project as well)
<noscript>
to look a little nicer and included instructions on how to enable JavaScript.