Content-Security-Policy-Report-Only: default-src 'self';