michael@0: Content-Security-Policy: default-src 'self' 'unsafe-inline';
michael@0: X-Content-Security-Policy: allow 'self' 'inline-script';