script-src

Default Attribute
selfblob: ‘unsafe-inline’ ‘unsafe-eval’ unpkg.com cdn.jsdelivr.net cdnjs.cloudflare.com
Policy Description
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.