Replying to this comment because though it's vague in specifics it reads as authoritative and knowledgeable. In reality, it confuses/conflates multiple things.
Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.
Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.