Thanks for posting this. This is immediately useful to me.
Correctly implementing a CSP is surprisingly tricky, though if you take the time to do it you’ll likely be most of the way to an A+ grade on Mozilla Observatory. Even though this doesn’t really count as a comprehensive security measure, it does inhibit a whole class of attack vectors, and it goes a long way to put your business in a favourable light when your Observatory grade is presented to investors and clients.
Speaking from experience.