Multiple "[Report Only] Refused to" errors printed in console

Question

So, recently our club website (github) built using Hugo started experiencing some weird errors:

ubccsss.org/:18 [Report Only] Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn-images.mailchimp.com https://stackpath.bootstrapcdn.com". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

ubccsss.org/:21 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-DHXPwsK0sUB04Cpx/p9VRcY2HXZRRCxZE9GTp6Qgzoo=' https://www.google-analytics.com https://code.jquery.com/ https://cdnjs.cloudflare.com https://stackpath.bootstrapcdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-2aej2NMomaWbXkuQ2U+nO2Ml3BVDypWd9GMDFxCkS3M='), or a nonce ('nonce-...') is required to enable inline execution.

ubccsss.org/:1 [Report Only] Refused to load the script 'https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-DHXPwsK0sUB04Cpx/p9VRcY2HXZRRCxZE9GTp6Qgzoo=' https://www.google-analytics.com https://code.jquery.com/ https://cdnjs.cloudflare.com https://stackpath.bootstrapcdn.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

ubccsss.org/:375 [Report Only] Refused to frame 'https://open-web-calendar.herokuapp.com/' because it violates the following Content Security Policy directive: "frame-src https://docs.google.com https://campus.fn.lc".

ubccsss.org/:1 Access to XMLHttpRequest at 'https://www.google-analytics.com/j/collect?v=1&_v=j96&a=1866781411&t=pageview&_s=1&dl=https%3A%2F%2Fubccsss.org%2F&ul=en-gb&de=UTF-8&dt=UBC%20Computer%20Science%20Student%20Society%20%7C%20UBC%20CSSS&sd=24-bit&sr=1536x864&vp=1087x714&je=0&_u=AACAAEABAAAAAC~&jid=1667142744&gjid=1316297348&cid=825846745.1632536115&tid=UA-88004303-1&_gid=521946931.1643025799&_r=1&_slc=1&z=801267447' from origin 'https://ubccsss.org' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
www.google-analytics.com/j/collect?v=1&_v=j96&a=1866781411&t=pageview&_s=1&dl=https%3A%2F%2Fubccsss.org%2F&ul=en-gb&de=UTF-8&dt=UBC%20Computer%20Science%20Student%20Society%20%7C%20UBC%20CSSS&sd=24-bit&sr=1536x864&vp=1087x714&je=0&_u=AACAAEABAAAAAC~&jid=1667142744&gjid=1316297348&cid=825846745.1632536115&tid=UA-88004303-1&_gid=521946931.1643025799&_r=1&_slc=1&z=801267447:1 Failed to load resource: net::ERR_FAILED
ubccsss.org/:375 [Report Only] Refused to frame 'https://open-web-calendar.herokuapp.com/' because it violates the following Content Security Policy directive: "frame-src https://docs.google.com https://campus.fn.lc".

ubccsss.org/:1 [Report Only] Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn-images.mailchimp.com https://stackpath.bootstrapcdn.com". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.ubccsss.org/:18 [Report Only] Refused to load the 

I have no idea what the cause of these errors is, but apparently, it does not have any actual effect on the website. We have been making changes to the website recently so I'm guessing that the bug lies in something we recently added. It'd be great if someone could let me know why these issues usually occur so that we'll be able to go through the recent commits and find the source of these bugs.