with notes
<meta
http-equiv="Content-Security-Policy"
content="
default-src 'self' 'unsafe-inline';
font-src fonts.gstatic.com 'self';
style-src fonts.googleapis.com 'self' 'unsafe-inline';
script-src 'self' web.archive.org 'unsafe-inline' 'unsafe-eval';
script-src-elem 'self' 'unsafe-inline';
img-src 'self' data:;
manifest-src 'self';
connect-src 'self' 'unsafe-inline';
object-src 'none';"
>- font-src & style-src definitions for Google Fonts
- script-src for web.archive.org indexing
- img-src data for CDATA images
