# Disable the use of unsafe inline/eval, allow everything else except plugin execution Content-Security-Policy: default-src *; object-src 'none' # #