Content-Security-Policy-Report-Only | script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google-analytics.com connect.facebook.net *.mxpnl.com apis.google.com *.googleapis.com *.googlesyndication.com *.gstatic.com *.twitter.com *.stripe.com *.newrelic.com tinymce.cachefly.net *.pinterest.com api.flattr.com *.s3.amazonaws.com dosvtuos3w10g.cloudfront.net; style-src 'self' 'unsafe-inline' *.googleapis.com tinymce.cachefly.net *.s3.amazonaws.com dosvtuos3w10g.cloudfront.net; connect-src 'self' *.mixpanel.com *.boxcloud.com *.box.com *.s3.amazonaws.com dosvtuos3w10g.cloudfront.net; media-src 'self' *.box.com; object-src 'self' translate.googleapis.com *.s3.amazonaws.com dosvtuos3w10g.cloudfront.net; default-src *; font-src 'self' *.googleusercontent.com *.gstatic.com *.s3.amazonaws.com dosvtuos3w10g.cloudfront.net; img-src 'self' data: *.google.com *.googleapis.com *.facebook.com *.youtube.com *.s3.amazonaws.com maps.gstatic.com csi.gstatic.com ssl.gstatic.com tinymce.cachefly.net www.google-analytics.com *.pinterest.com *.pinimg.com *.nr-data.net www.paypalobjects.com *.s3.amazonaws.com *.gravatar.com *.stripe.com dosvtuos3w10g.cloudfront.net; frame-src 'self' *.doubleclick.net *.facebook.com *.google.com *.twitter.com api.flattr.com *.stripe.com; report-uri /csp-report; |