Content-Security-Policy: default-src 'none'; script-src cdn.jsdelivr.net 'unsafe-eval'