http-equiv="Content-Security-Policy" content="script-src 'self'"