I updated the software today, and saw that the manual entries that I made in the htaccess file now show in the header protection area for content-security-policy. This rendered the admin buttons to save/save&close/close useless. I tested it by commenting out that function, and the buttons regained function. The function was the same with Safari, Chrome, and Firefox.
This is what I have:
default-src 'self' domain.com; img-src 'self'; style-src 'self'; connect-src 'self'; sandbox 'allow-same-origin';
Testing the site here: securityheaders.com, shows no errors, although Joomla has its own content-security-policy and x-frame-options headers that I haven't found, which produces a duplicate error message.
I actually did that as well. I removed the htaccess file, and set the one back that came originally with Joomla, then applied your security and mod-rewrite to it; then I retested commenting out that section, with the same results.
<quote>Setting your CSP disables the buttons, but if you set other CSP (for example default-src http: data: 'unsafe-inline' 'unsafe-eval') everything works fine.</quote>
This isn't so. Those directives are set somewhere and somehow that is not visible, and the Joomla developers blame your software for that, as there is a duplicate entry, which the CSP checking sites both complain about. When I disable the good directives, and leave those you have mentioned, which those same sites say are not good, the buttons work.