X-Content-Security-Policy: allow 'self'