What is the maximally permissive Content-Security-Policy?

tl;dr use "report only" mode to introduce a policy to a legacy site.

See w3.org/TR/CSP2/#source-list-guid-matching.

As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed.

Therefor, something along the lines of default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss: is probably close to the most lenient policy. There are more protocols that may need to be whitelisted, of course.


HOWEVER

Typically people take the opposite approach. They will deploy the header with Content-Security-Policy-Report-Only: default-src 'none' which will not affect the loading of your site and will allow you to ratchet down your policy based on the violations or console warnings.

I highly recommend you start with the caspr chrome extension to create an initial policy and then use report-uri.io to view report violations. When your policy seems stable and violations are minimal, then switch your policy to enforce mode.


Try

default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
script-src * 'unsafe-inline' 'unsafe-eval'; 
connect-src * 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
frame-src *; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';

Even with this, you might still find violations, if you find them, report it to me!