From Kromonos, 3 Months ago, written in Apache.
Embed
  1. Header set Content-Security-Policy "default-src 'self'; frame-src www.google.com 'self'; font-src 'self'; img-src www.google-analytics.com 'self'; script-src www.google.com www.gstatic.com www.google-analytics.com www.googletagmanager.com maps.googleapis.com 'self' 'unsafe-eval' 'unsafe-inline'; style-src www.googletagmanager.com maps.googleapis.com 'self' 'unsafe-inline';"