Header always set Content-Security-Policy: "default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com"