More permissive CORS policies.

public/includes/head.html

@@ -6,7 +6,16 @@
 
 <meta http-equiv="Content-Security-Policy" content="
     default-src 'self';
-    script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://cdn.jsdelivr.net https://*.fontawesome.com;
+    script-src 'self' 'unsafe-inline'
+      https://www.googletagmanager.com
+      https://cdn.jsdelivr.net
+      https://*.fontawesome.com;
+    media-src 'self'
+      https://www.youtube.com https://youtu.be
+      https://www.linkedin.com;
+    frame-src 'self'
+      https://www.youtube.com/embed/ https://youtu.be/embed/
+      https://www.linkedin.com/embed/;
     style-src 'self' 'unsafe-inline' https://*.fontawesome.com;
     font-src 'self' https://*.fontawesome.com;
     connect-src 'self' https://*.fontawesome.com;