X-Content-Security-Policy: default-src *; options inline-script