Content-Security-Policy: connect-src 'none';
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'