I have a Content-Security-Policy for my WordPress Website (LAMP-Server):
set Content-Security-Policy "base-uri 'self'; default-src 'self'; font-src 'self' data: https://fonts.gstatic.com; frame-src https://www.google.com https://www.youtube.com; img-src 'self' https://secure.gravatar.com; script-src 'self' 'unsafe-inline' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'self'; form-action 'self'; frame-ancestors 'self';"
This CSP prevents me from activating any check box in WordPress (either the check box that remembers my login or the check boxes that let me select which theme to update) (Tested with Firefox in Linux and Chrome on Android).
Without CSP everything works as expected.
Any hint on which CSP is required to make that work again is greatly appreciated.