> CSP is nasty

Despite the very graphical description, I still don't understand why you don't like CSP. As the server owner, you set your own CSP rules, and if you don't want anything removed, don't configure it like that? It's all opt-in.

Obviously it doesn't fix all classes of potential security issues, but neither would anything else either, it's just one piece of the puzzle.