Partial revert of #183, as it was a bit over zealous
Update defaults API
CSP for changed back to object-src: none, not default-src: none. Less secure, but more broadly applicable, default-src: none is going to work for ~0% of sites 😅
Added cross-origin-opener-policy: same-origin as default
Remove default permissions policy - it's easy to add it now
Partial revert of #183, as it was a bit over zealous
object-src: none, notdefault-src: none. Less secure, but more broadly applicable,default-src: noneis going to work for ~0% of sites 😅cross-origin-opener-policy: same-originas defaultdefault-src: noneto CSP