A few days ago, one of our clients requested to enable Content-Security-Policy (CSP) on their email server. So, this is what I do
zmprov mcf +zimbraResponseHeader "Content-Security-Policy: default-src https: 'self' 'unsafe-inline'; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; img-src 'self' data:"
This configuration has been tested on Zimbra 10 and has worked well so far. Below are the conditions before and after implementing CSP
Before

After

Good luck 🙂