Content-Security-Policy: Ignoring 'unsafe-inline' within script-src: nonce-source or hash-source specified