when the server sends a restrictive Content-Security-Policy header,
Content-Security-Policy: default-src \'self\'; script-src \'self\'; img-src \'self\'
the fo
