Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; upgrade-insecure-requests; script-src 'self' https://www.gstatic.com https://apis.google.com https://www.google.com https://maps.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: blob: https://*.tile.openstreetmap.org https://unpkg.com https://maps.gstatic.com https://*.googleapis.com https://*.gstatic.com https://*.ggpht.com https://*.firebasestorage.app https://firebasestorage.googleapis.com https://*.googleusercontent.com; worker-src 'self' blob:; connect-src 'self' https://*.googleapis.com https://*.gstatic.com https://*.firebaseio.com wss://*.firebaseio.com wss://*.googleapis.com https://firebase.googleapis.com https://firebaseinstallations.googleapis.com https://identitytoolkit.googleapis.com https://securetoken.googleapis.com https://firestore.googleapis.com https://firebasestorage.googleapis.com https://photon.komoot.io https://apis.google.com https://www.googleapis.com https://login.microsoftonline.com https://graph.microsoft.com https://graph.facebook.com https://www.facebook.com https://appleid.apple.com https://*.a.run.app https://*.run.app; frame-src 'self' https://*.firebaseapp.com https://accounts.google.com https://accounts.youtube.com https://appleid.apple.com https://www.facebook.com https://login.microsoftonline.com https://apis.google.com https://www.google.com https://maps.googleapis.com https://js.stripe.com https://hooks.stripe.com; form-action 'self' https://checkout.stripe.com https://billing.stripe.com https://connect.stripe.com