Inline script should run with policy "script-src 'self' 'unsafe-inline'".