Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to default