Look at the Content-Security-Policy header

Content-Security-Policy: script-src 'strict-dynamic' http: https: 'unsafe-inline';