Would be useful to customize the CSP headers on custom CMS domain in order to prevent XSS attacks on the CMS UI.
With custom CSP, each user can decide which domains are allowed to run scripts on the CMS UI, preserving the standard CMS behaviour and plugins, but avoiding running random stuff from the web.
Also you can prevent inline scripts to be run, further protecting editors from copy-pasting malicious stuff and then having it execute accidentally.