Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://dev.virtualearth.net https://maps.googleapis.com/; object-src 'self'; form-action 'self'; worker-src 'self'"