Content Security Policy (CSP) implemented unsafely. This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

Remove unsafe-inline and data: from script-src, overly broad sources from object-src and script-src, and ensure object-src and script-src are set.

Does not redirect to an HTTPS site.

Referrer-Policy header set unsafely to origin, origin-when-cross-origin, unsafe-url or no-referrer-when-downgrade.