Thanks Quan. I checked the console and it looked to be an error that was caused by the Content-Security-Policy header specifically.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-x...sw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Removing this header in particular solved the issue. I can revisit fixing the values inside our CSP, but for now this works.
There is some information available about the CSP in the documentation here:
https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/content-security-policy
Larry, have you considered looking into packages within the Optimizely Community?
There is Jhoose.Security.Admin which allows you to manage your CSP within the CMS which you can read more on here: https://github.com/andrewmarkham/contentsecuritypolicy
Thanks Ynze and Mark for the links to the documentation. I will definitely be looking into Jhoose Security Admin. This is great.
I tried adding HTTP security headers using custom middleware, similar to the way it's implemented here. https://blog.emman.dev/asp.net/2021/10/25/add-http-security-headers-in-asp.net-core-5-using-custom-middleware
Although the headers do show up correctly for all requests, it causes errors in the CMS. I thought by moving it around to different places in the request processing pipeline I could make it work, but that doesn't seem to be the case. Has anyone implemented custom http headers in CMS 12?