你站的CSP策略如下

content-security-policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://telegra.ph https://www.telegra.ph https://web.archive.org https://i.imgur.com https://pbs.twimg.com https://i.ytimg.com https://upload.wikimedia.org https://i0.wp.com https://i1.wp.com https://i2.wp.com https://i3.wp.com https://github.com https://pages.github.com https://raw.githubusercontent.com; media-src https://youtu.be https://www.youtu.be https://youtube.com https://www.youtube.com;

其中的img-src项允许用户自行传递图片的几个网站，如https://raw.githubusercontent.com。在极端情况下，网络军队可能掌握chrome等浏览器的图像渲染0day漏洞，并发布恶意图像，使访问者的安全无法得到保证。