⚖ 'unsafe-eval' in worker-src / child-src does not work, it must be specified in script-src; the worker-src directive covers only the worker creation, the executing of worker's script is controlled by other
Content Security Policy for Single Page Web Apps | Square Corner Blog
Content security policy
Optimizely's Content-Security-Policy Journey | by Ola Nordstrom | Engineers @ Optimizely | Medium
Using Content Security Policy (CSP) to Secure Web Applications | Invicti
Content Security Policy (CSP) Headers
On Ubuntu 16 "Unrecognized Content-Security-Policy directive" reported from some tests · Issue #1194 · coreinfrastructure/best-practices-badge · GitHub
Content Security Policy: Event logged in csp dblog raised by the module [#3167319] | Drupal.org
Safari only bug: 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored. · Issue #397 · google/google-api-javascript-client · GitHub
Content-Security-Policy not workin… | Apple Developer Forums
Safari doesn't like CSP
Content Security Policy with Google Analytics & Tag Manager | Bounteous
Unrecognized Content-Security-Policy directive 'referrer'. - Salesforce Developer Community
On Cross-Site Scripting and Content Security Policy