"Content-Security-Policy", "default-src 'self'"