Busy inplementing a strong CSP for the domain: much more work than I expected
Google tagmanager requires a nonce, but that needs mod_unique_id which wasn't installed, but the webhost is very helpful and activated it right away, works fine on Apache-side
Quantcast-choice which generates the cookie-policy application that let's visitors choose to accept or decline, is causing the biggest problem, it breaks the whole website. But now that mod_unique_id is installed I could try use a nonce for that too.
Two of the four scripts are going to use nonces, so why not try that with all the scripts?
So: back to an empty CSP and start all over...