As I am quite new to the topic of CSP, I have installed a Chrome plugin called CSP Evaluator.
When logged in in my owncloud instance, it shows the following hints:
_script-src _
'self' can be problematic if you host JSONP, Angular or user uploaded files.
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
As far as I understand the aim of CSP, it is meant to mitigate XSS attacks. Hence the script-src is one of the most important tags. Both, self and unsave-eval should be replaced by an external script which can not be modified by a XSS attack.