Content-Security-Policy: default-src *; script-src 'unsafe-inline'