default-src 'unsafe-inline' http: 'self' data:; upgrade-insecure-requests; frame-ancestors 'self';