X-Content-Security-Policy: default-src 'self'   ,    allow *