base-uri block-all-mixed-content child-src connect-src default-src fenced-frame-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src prefetch-src report-to report-uri require-trusted-types-for sandbox script-src-attr script-src-elem script-src Sources style-src-attr style-src-elem style-src trusted-types upgrade-insecure-requests worker-src