You can read up on enabling it on your site. CSP is very restrictive by default, and then you whitelist what you want to allow. For example with a simple policy like this:
Content-Security-Policy: default-src 'self'
No content at all will load that isn't on the exact same domain. Not even subdomains. To loosen that up, you specify domains you trust and want to allow.
If you wanted to allow CodePen embeds, you'd use:
Content-Security-Policy: script-src assets.codepen.io production-assets.codepen.io ;
Note there is two domains there. The first is an older URL that we used to use (and will always support) and the second is the newer one.
This comes from Nicolas Hoffmann's CSP-useful repo where he documents the bits of policies needed to allow certain third-parties, like CodePen.