script-src https://cdn.example.com/scripts/; object-src 'none'