Set-Cookie: object-src-no-url-allowed={{$id:uuid()}}; Path=/content-security-policy/object-src/ Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}