script-src

selfblob: ‘unsafe-inline’ ‘unsafe-eval’ unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com

The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.