Content-Security-Policy: default-src 'self' blob: ; script-src 'unsafe-eval'