Content-Security-Policy: connect-src 'none'