content-security-policy: default-src *;