Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-abc'; connect-src 'self';