Policy B — Strict allowlist

default-src 'none';
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.clarity.ms www.gstatic.com www.google.com www.googletagmanager.com cdn.jsdelivr.net my.productfruits.com *.iubenda.com;
connect-src 'self' api.hubdelivery.io my.productfruits.com keepan.eyeonev.com www.googletagmanager.com region1.google-analytics.com https: wss://ws.dcbprotect.com:*;
img-src 'self' https: data: blob:;
style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net;
font-src 'self' fonts.gstatic.com cdn.jsdelivr.net data:;
frame-src www.google.com www.googletagmanager.com *.iubenda.com my.productfruits.com;
worker-src 'self' blob:;
object-src 'none'; base-uri 'self'; frame-ancestors 'self'; form-action 'self';
upgrade-insecure-requests;
media-src 'self' cdn.plyr.io media.hubdelivery.io;

Probes

CSP violation reports