Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://connect.facebook.net https://www.googletagmanager.com https://www.google-analytics.com https://googleads.g.doubleclick.net https://www.googleadservices.com https://www.google.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.openmaptiles.org; media-src 'self' blob:; connect-src 'self' https://bird.com https://*.bird.com wss://bird.com wss://*.bird.com wss://*.preview.bird.com https://*.s3.eu-west-1.amazonaws.com https://basemaps.cartocdn.com https://api.open-meteo.com https://archive-api.open-meteo.com https://tiles.openfreemap.org https://api.frankfurter.app https://graph.facebook.com https://pricing.p.mbirdcdn.net https://www.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://googleads.g.doubleclick.net https://www.googleadservices.com https://stats.g.doubleclick.net https://td.doubleclick.net https://www.googletagmanager.com https://www.google.com; frame-src 'self' blob: https://open.spotify.com https://www.youtube.com https://www.facebook.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self' https://accounts.google.com; object-src 'none'; worker-src 'self' blob:; report-uri https://bird.com/api/csp-report; report-to csp-endpoint