Content-Security-Policy: default-src 'self' 'unsafe-inline'; img-src *
default-src 'self' 'unsafe-inline'; img-src *
This page allows 'unsafe-inline' scripts. Try injecting a script: