Content-Security-Policy: script-src * 'unsafe-inline'