# Sets
#
# Should yield the follwoiung header:
# "Content-Security-Policy: default-src 'self';
#      script-src 'self' example.com;object-src 'none';
#      upgrade-insecure-requests"
# Note: embedded single quotes are required
default-src: [ "'self'" ]
base-uri: [ "'self'" ]
font-src:
  - "'self'"
  - "https:"
  - "data:"
form-action: [ "'self'" ]
frame-ancestors: [ "'self'" ]
img-src:
  - "'self'"
  - "data:"
object-src: [ "'none'" ]
script-src: 
  - "'self'" 
  - example.com
script-src-attr: [ "'none'" ]
style-src:
  - "'self'"
  - "https:"
  - "'unsafe-inline'"
upgrade-insecure-requests: []