 <!-- Bootstrap CSS -->
 <link
   rel="stylesheet"
-  href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"
-  integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T"
-  crossorigin="anonymous">
+  href="https://tools-static.wmflabs.org/cdnjs/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css"
+  integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T">

and similar changes for the other linked-to resources. Two specific questions:

The integrity token is the same, no matter which mirror I get it from?
I can drop the crossorigin attribute since I'm not doing CORS any more?

On Jun 23, 2020, at 3:06 PM, MusikAnimal <musikanimal@gmail.com> wrote:

The Content Security Policy violations are report-only, if that's what you're referring to. Popper, Bootstrap, jQuery and Selectize are all available via https://cdnjs.toolforge.org/ which will get around the CSP directive. For fonts you could try https://fontcdn.toolforge.org/

~ MA