= Notes on Content Security Policies =

 * script-src should only restrict the final URL, not all the URLs in the redirect chain.