There are different levels of maturity with your security headers, and Sqreen's cookies are scoped to a completely different subdomain my.sqreen.io versus www.sqreen.io. It looks to me like they are doing everything right.
There is no shame in having your CSP header in Report Only. It's complicated to manage your assets, especially when using a tag manager where it's not obvious what the hell the URI/hosts are that will be loaded.
There are different levels of maturity with your security headers, and Sqreen's cookies are scoped to a completely different subdomain my.sqreen.io versus www.sqreen.io. It looks to me like they are doing everything right.
There is no shame in having your CSP header in Report Only. It's complicated to manage your assets, especially when using a tag manager where it's not obvious what the hell the URI/hosts are that will be loaded.