Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' data: blob:; frame-ancestors 'none';

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://js.stripe.com https://cdn.eu.pendo.io https://js.userflow.com https://0lb0kfsm1ts6.statuspage.io https://data.telemetry.semble.io https://registrar.widget.heidihealth.com https://widget.heidihealth.com https://embedding.workato.com https://v1.widgets.posos.co; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; connect-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data: blob:; frame-src 'self' https://app.powerbi.com https://js.stripe.com/v3/ https://0lb0kfsm1ts6.statuspage.io https://data.telemetry.semble.io https://semble-test.whereby.com https://semble.whereby.com https://s3.eu-west-2.amazonaws.com https://s3.eu-west-3.amazonaws.com https://portal.productboard.com https://app.eu.workato.com https://v1.widgets.posos.co https://efficience2.icanopee.net; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; worker-src 'self' blob:;