diff --git a/caddy/10-headers.caddy b/caddy/10-headers.caddy
index 5bf92d86..a933290f 100644
--- a/caddy/10-headers.caddy
+++ b/caddy/10-headers.caddy
@@ -20,7 +20,7 @@
header ?Cross-Origin-Embedder-Policy credentialless
# Simplified CSP by removing everything which was set to "none", since the default-src is "none" anyways, except for base-uri and frame-ancestors which don't have default-src fallback: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
- header +Content-Security-Policy "default-src 'none'; script-src 'self' https://plausible.thenewoil.org; connect-src 'self' https://plausible.thenewoil.org; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self' data: ; media-src 'self' data: ;"
+ header +Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self' data: ; media-src 'self' data: ;"
header +Content-Security-Policy "form-action 'self'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-scripts allow-popups;"
# why is this set to 0? see: https://github.com/privacyguides/privacyguides.org/pull/2021#issuecomment-1444083670
diff --git a/src/components/layout/DefaultHead.astro b/src/components/layout/DefaultHead.astro
index 7ec8ccce..a4a89f36 100644
--- a/src/components/layout/DefaultHead.astro
+++ b/src/components/layout/DefaultHead.astro
@@ -42,7 +42,6 @@ const title = `${config.title}${pageTitle && ` | ${pageTitle}`}`;
-