Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; connect-src 'self' https://*.googleapis.com https://*.firebaseio.com https://formsubmit.co; img-src 'self' data: blob:; form-action 'self' https://formsubmit.co; frame-ancestors 'none'