CSP errors for polyfill.io in various browsers

[oyeanuj]

I've been noticing CSP errors related to polyfill.io in various different browsers. So I thought creating an umbrella issue might be helpful incase anyone else has solved them or comes across it in the future:

Chrome

GET https://cdn.polyfill.io/v2/polyfill.min.js?features=default,es6,object.assign,intl 
net::ERR_BLOCKED_BY_CLIENT

Safari

Unrecognized Content-Security-Policy directive 'manifest-src'.

Firefox (Developer Edition v57)

Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://react-universally-test.herokuapp.com 'nonce-18bc1263-95ae-40e8-8785-e8215a35e085' 'unsafe-inline' https://cdn.polyfill.io”). Source: ;(function installGlobalHook(window) {

All of these can be reproduced on: https://react-universally-test.herokuapp.com/

[oyeanuj]

Update: I found the problem with the Chrome error above. It was happening because Ghostery blocks polyfill.io by default. Here is the tracking ticket for that: https://github.com/Financial-Times/polyfill-service/issues/1426

[oyeanuj]

Has anyone got this repo to work with React DevTools on Firefox? It seems like I can't get the right CSP setting that Firefox likes - any ideas or anyone willing to share their CSP settings that work?